CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2016-5834 – WordPress Core < 4.5.3 - Cross-Site Scripting via Attachment Name
https://notcve.org/view.php?id=CVE-2016-5834
Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833. Vulnerabilidad de XSS en la función wp_get_attachment_link en wp-includes/post-template.php en WordPress en versiones anteriores a 4.5.3 permite a atacantes remotos inyectar secuencia de comandos web o HTML a través de un nombre adjunto manipulado, una vulnerabilidad diferente a CVE-2016-5833. • http://www.debian.org/security/2016/dsa-3639 http://www.securityfocus.com/bid/91368 http://www.securitytracker.com/id/1036163 https://codex.wordpress.org/Version_4.5.3 https://github.com/WordPress/WordPress/commit/4372cdf45d0f49c74bbd4d60db7281de83e32648 https://wordpress.org/news/2016/06/wordpress-4-5-3 https://wpvulndb.com/vulnerabilities/8518 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2012-6707 – WordPress Core - Informational - All known Versions - Weak Hashing Algorithm
https://notcve.org/view.php?id=CVE-2012-6707
WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions. WordPress hasta la versión 4.8.2 emplea un algoritmo débil de hash de contraseñas basado en MD5, lo que facilita que atacantes determinen valores en texto claro aprovechando el acceso a los valores hash. NOTA: la forma de cambiar esto puede no ser totalmente compatible con ciertos casos de uso, como la migración de un sitio de WordPress desde un host web que emplee una versión reciente de PHP a un host web diferente que emplee PHP 5.2. • https://core.trac.wordpress.org/ticket/21022 • CWE-261: Weak Encoding for Password CWE-326: Inadequate Encryption Strength •