Page 24 of 345 results (0.017 seconds)

CVSS: 7.5EPSS: 1%CPEs: 75EXPL: 0

CVE-2011-4957 – WordPress Core < 3.1.1 - Denial of Service

https://notcve.org/view.php?id=CVE-2011-4957

05 Apr 2011 — The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls. La función make_clickable en wp-includes/formatting.php en WordPress antes de v3.1.1 no comprueba las URL correctamente antes de pasarlas a la biblioteca PCRE, lo que permite a atacantes remotos provocar una denegación de ... • http://core.trac.wordpress.org/ticket/16892 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

CVE-2011-0701 – WordPress Core < 3.0.5 - Improper Authorization to Information Disclosure

https://notcve.org/view.php?id=CVE-2011-0701

07 Feb 2011 — wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter. wp-admin/async-upload.php en media uploader en WordPress anterior a v3.0.5 permite a usuarios remotos autenticados leer (1) posts borradores o (2) posts privados a través del parámetro modificado attachment_id. • http://codex.wordpress.org/Version_3.0.5 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization •

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0

CVE-2011-3818 – WordPress Core 2.9.2 and 3.0.4 - Sensitive Information Disclosure

https://notcve.org/view.php?id=CVE-2011-3818

28 Jan 2011 — WordPress 2.9.2 and 3.0.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by wp-admin/includes/user.php and certain other files. WordPress v2.9.2 y v3.0.4 permiten a atacantes remotos obtener información sensible a través de una petición directa a un archivo .php, lo que revela la ruta de instalación en un mensaje de error, como se demostró con wp-admin/includes/user.php y algunos otros arch... • http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.4EPSS: 0%CPEs: 48EXPL: 1

CVE-2010-5296 – WordPress Core < 3.0.2 - Missing Authorization

https://notcve.org/view.php?id=CVE-2010-5296

30 Dec 2010 — wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action. wp-includes/capabilities.php en WordPress anterior a la versión 3.0.2, cuando se usa una configuración Multisite, no requiere el rol Super Admin para la capacidad delete_users, lo que permite a administradores remotos autenticados evadi... • http://codex.wordpress.org/Version_3.0.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •

CVSS: 6.4EPSS: 1%CPEs: 1EXPL: 0

CVE-2010-4536 – WordPress Core <= 3.0.3 - Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2010-4536

29 Dec 2010 — Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the & (ampersand) character, (2) the case of an attribute name, (3) a padded entity, and (4) an entity that is not in normalized form. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en KSES, como las utilizadas en WordPress antes de v3.0.4, permite a atacantes remotos inyectar secue... • http://core.trac.wordpress.org/changeset/17172/branches/3.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 70EXPL: 1

CVE-2010-5106 – WordPress Core < 3.0.3 - Access Control Bypass

https://notcve.org/view.php?id=CVE-2010-5106

08 Dec 2010 — The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role. La interfaz de publicación de XML-RPC remoto en xmlrpc.php en WordPress antes de v3.0.3 no realiza correctamente determinadas comprobaciones, lo que permite a usuarios remotos autenticados eludir restricciones de acceso, y publicar,... • http://codex.wordpress.org/Version_3.0.3 • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •

CVSS: 6.4EPSS: 0%CPEs: 48EXPL: 1

CVE-2010-5295 – WordPress Core < 3.0.2 - Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2010-5295

30 Nov 2010 — Cross-site scripting (XSS) vulnerability in wp-admin/plugins.php in WordPress before 3.0.2 might allow remote attackers to inject arbitrary web script or HTML via a plugin's author field, which is not properly handled during a Delete Plugin action. Vulnerabilidad de XSS en wp-admin/plugins.php de WordPress anterior a la versión 3.0.2 podría permitir a atacantes remotos inyectar script Web o HTML arbitrario a través del campo de autor del plugin, el cual no es correctamente manejado durante una acción Delete... • http://codex.wordpress.org/Version_3.0.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 48EXPL: 1

CVE-2010-5294 – WordPress Core < 3.0.2 - Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2010-5294

30 Nov 2010 — Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPress before 3.0.2 allow remote servers to inject arbitrary web script or HTML by providing a crafted error message for a (1) FTP or (2) SSH connection attempt. Múltiples vulnerabilidades cross-site scripting (XSS) en la función request_filesystem_credentials en wp-admin/includes/file.php en WordPress anterior a v3.0.2 la cual permite a servidores remotos inyectar script We... • http://codex.wordpress.org/Version_3.0.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2010-4257 – WordPress Core <= 3.0.1 - SQL Injection

https://notcve.org/view.php?id=CVE-2010-4257

30 Nov 2010 — SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field. Vulnerabilidad de inyección SQL en la función do_trackbacks en wp-includes/comment.php de WordPress anterior a v3.0.2 permite a los usuarios remotos autenticados ejecutar comandos SQL a su elección a través del campo Send Trackbacks. • http://blog.sjinks.pro/wordpress/858-information-disclosure-via-sql-injection-attack • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.5EPSS: 0%CPEs: 48EXPL: 2

CVE-2010-5293 – WordPress Core < 3.0.2 - Spam Protection Bypass

https://notcve.org/view.php?id=CVE-2010-5293

30 Nov 2010 — wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote attackers to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match. wp-includes/comment.php en WordPress anterior a la versión 3.0.2 no incluye en lista blanca los trackbacks y pingbacks en el blogroll, lo que permite a atacantes remotos evadir restricciones de SPAM intencionadas mediante una URL manipulada, tal y ... • http://codex.wordpress.org/Version_3.0.2 • CWE-264: Permissions, Privileges, and Access Controls CWE-639: Authorization Bypass Through User-Controlled Key •