CVSS: 6.4EPSS: 0%CPEs: 31EXPL: 0CVE-2007-4893 – WordPress Core <= 2.2.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-4893
05 Aug 2007 — wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_html privilege, which allows remote attackers to conduct cross-site scripting (XSS) attacks via modified data to (1) post.php or (2) page.php with a no_filter field. wp-admin/admin-functions.php de Wordpress versiones anteriores a 2.2.3 y Wordpress multi-user (MU) versiones anteriores a 1.2.5a no verifican apropiadamente el privilegio unfiltered_html, lo cual permite a a... • http://fedoranews.org/updates/FEDORA-2007-214.shtml • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-4154 – WordPress Core <= 2.2.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2007-4154
03 Aug 2007 — SQL injection vulnerability in options.php in WordPress 2.2.1 allows remote authenticated administrators to execute arbitrary SQL commands via the page_options parameter to (1) options-general.php, (2) options-writing.php, (3) options-reading.php, (4) options-discussion.php, (5) options-privacy.php, (6) options-permalink.php, (7) options-misc.php, and possibly other unspecified components. Vulnerabilidad de inyección SQL en options.php de WordPress 2.2.1 permite a administradores autenticados remotamente ej... • http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2007-4153 – WordPress Core <= 2.2.1 - Authenticated (Admin+) Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-4153
03 Aug 2007 — Multiple cross-site scripting (XSS) vulnerabilities in WordPress 2.2.1 allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the Options Database Table in the Admin Panel, accessed through options.php; or (2) the opml_url parameter to link-import.php. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en WordPre... • http://codex.wordpress.org/Roles_and_Capabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 5%CPEs: 1EXPL: 2CVE-2007-4139 – WordPress Core <= 2.2.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-4139
03 Aug 2007 — Cross-site scripting (XSS) vulnerability in the Temporary Uploads editing functionality (wp-admin/includes/upload.php) in WordPress 2.2.1, allows remote attackers to inject arbitrary web script or HTML via the style parameter to wp-admin/upload.php. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la funcionalidad de edición Temporary Uploads (wp-admin/includes/upload.php) de WordPress 2.2.1, permite a usuarios remotos inyectar scripts web o HTML de su elección a través del parámetro sty... • http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3639 – WordPress Core < 2.2.2 - Open Redirect
https://notcve.org/view.php?id=CVE-2007-3639
10 Jul 2007 — WordPress before 2.2.2 allows remote attackers to redirect visitors to other websites and potentially obtain sensitive information via (1) the _wp_http_referer parameter to wp-pass.php, related to the wp_get_referer function in wp-includes/functions.php; and possibly other vectors related to (2) wp-includes/pluggable.php and (3) the wp_nonce_ays function in wp-includes/functions.php. WordPress anterior a 2.2.2 permite a atacantes remotos redireccionar a los vistantes a otros sitios web y potencialmente obte... • http://osvdb.org/40802 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2007-3543 – WordPress Core <= 2.2 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2007-3543
03 Jul 2007 — Unrestricted file upload vulnerability in WordPress before 2.2.1 and WordPress MU before 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code by making a post that specifies a .php filename in the _wp_attached_file metadata field; and then sending this file's content, along with its post_ID value, to (1) wp-app.php or (2) app.php. Vulnerabilidad de fichero de archivo no restringido en WordPress anterior a 2.2.1 y WordPress MU anterior a 1.2.3 permite a usuarios autenticados remot... • http://osvdb.org/37295 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2007-3544 – WordPress Core <= 2.2.1 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2007-3544
03 Jul 2007 — Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.php in WordPress 2.2.1 and WordPress MU 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code via unspecified vectors, possibly related to the wp_postmeta table and the use of custom fields in normal (non-attachment) posts. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-3543. Vulnerabilidad e envío de archivo no restringido en (1) wp-app.php y (2) app.php de WordPresss 2.2.1 y WordPr... • http://osvdb.org/37294 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3238
https://notcve.org/view.php?id=CVE-2007-3238
15 Jun 2007 — Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php, a different vulnerability than CVE-2007-1622. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en functions.php en el tema po... • http://blogsecurity.net/wordpress/news/news-100607-1 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3241 – Cordobo Green Park (All Versions) - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-3241
15 Jun 2007 — Cross-site scripting (XSS) vulnerability in blogroll.php in the cordobo-green-park theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en blogroll.php en el tema cordobo-green-park para WordPress permite a atacantes remotos inyectar scripts web o HTML de su elección mediante la porción PHP_SELF de un URI. • http://osvdb.org/36817 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3240 – Vistered Little (Unspecified Version) - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-3240
14 Jun 2007 — Cross-site scripting (XSS) vulnerability in 404.php in the Vistered-Little theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI (REQUEST_URI) that accesses index.php. NOTE: this can be leveraged for PHP code execution in an administrative session. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en 404.php en el tema Vistered-Little para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del URI(REQUEST_URI) que... • http://osvdb.org/37441 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •