CVE-2016-5835 – WordPress Core < 4.5.3 - Revision History Disclosure
https://notcve.org/view.php?id=CVE-2016-5835
WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php. WordPress en versiones anteriores a 4.5.3 permite a atacantes remotos obtener información sensible del histórico de revisión aprovechando la habilidad para leer un post relacionado con wp-admin/includes/ajax-actions.php y wp-admin/revision.php. • http://www.debian.org/security/2016/dsa-3639 http://www.securityfocus.com/bid/91366 http://www.securitytracker.com/id/1036163 https://codex.wordpress.org/Version_4.5.3 https://github.com/WordPress/WordPress/commit/a2904cc3092c391ac7027bc87f7806953d1a25a1 https://wordpress.org/news/2016/06/wordpress-4-5-3 https://wpvulndb.com/vulnerabilities/8519 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-5836 – WordPress Core < 4.5.3 - Denial of Service via oEmbed Protocol
https://notcve.org/view.php?id=CVE-2016-5836
The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors. El protocolo de implementación de oEmbed en WordPress en versiones anteriores a 4.5.3 permite a atacantes remotos provocar una denegación de servicio a través de vectores no especificados. • http://www.securityfocus.com/bid/91363 http://www.securitytracker.com/id/1036163 https://codex.wordpress.org/Version_4.5.3 https://lists.debian.org/debian-lts-announce/2018/07/msg00046.html https://wordpress.org/news/2016/06/wordpress-4-5-3 https://wpvulndb.com/vulnerabilities/8523 • CWE-400: Uncontrolled Resource Consumption •
CVE-2016-5834 – WordPress Core < 4.5.3 - Cross-Site Scripting via Attachment Name
https://notcve.org/view.php?id=CVE-2016-5834
Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833. Vulnerabilidad de XSS en la función wp_get_attachment_link en wp-includes/post-template.php en WordPress en versiones anteriores a 4.5.3 permite a atacantes remotos inyectar secuencia de comandos web o HTML a través de un nombre adjunto manipulado, una vulnerabilidad diferente a CVE-2016-5833. • http://www.debian.org/security/2016/dsa-3639 http://www.securityfocus.com/bid/91368 http://www.securitytracker.com/id/1036163 https://codex.wordpress.org/Version_4.5.3 https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648 https://wordpress.org/news/2016/06/wordpress-4-5-3 https://wpvulndb.com/vulnerabilities/8518 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-4567 – WordPress Core < 4.5.2 - Cross-Site Scripting via MediaElement.js
https://notcve.org/view.php?id=CVE-2016-4567
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn." Vulnerabilidad de XSS en flash/FlashMediaElement.as en MediaElement.js en versiones anteriores a 2.21.0, como se utiliza en WordPress en versiones anteriores a 4.5.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un formulario ofuscado del parámetro jsinitfunction, como es demostrado por "jsinitfunctio%gn". • http://www.openwall.com/lists/oss-security/2016/05/07/2 http://www.securitytracker.com/id/1035818 https://codex.wordpress.org/Version_4.5.2 https://core.trac.wordpress.org/changeset/37371 https://gist.github.com/cure53/df34ea68c26441f3ae98f821ba1feb9c https://github.com/johndyer/mediaelement/blob/master/changelog.md https://github.com/johndyer/mediaelement/commit/34834eef8ac830b9145df169ec22016a4350f06e https://wordpress.org/news/2016/05/wordpress-4-5-2 https://wpvulndb.com/vulnerabilities/8488 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-4566 – WordPress Core < 4.5.2 - Cross-Site Scripting via plupload.flash.swf
https://notcve.org/view.php?id=CVE-2016-4566
Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack. Vulnerabilidad de XSS en plupload.flash.swf en Plupload en versiones anteriores a 2.1.9, como se utiliza en WordPress en versiones anteriores a 4.5.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un ataque Same-Origin Method Execution (SOME). • http://www.openwall.com/lists/oss-security/2016/05/07/2 http://www.plupload.com/punbb/viewtopic.php?pid=28690 http://www.securitytracker.com/id/1035818 https://codex.wordpress.org/Version_4.5.2 https://core.trac.wordpress.org/changeset/37382 https://gist.github.com/cure53/09a81530a44f6b8173f545accc9ed07e https://wordpress.org/news/2016/05/wordpress-4-5-2 https://wpvulndb.com/vulnerabilities/8489 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •