CVSS: 6.4EPSS: 12%CPEs: 1EXPL: 0CVE-2015-5714 – WordPress Core < 4.3.1 - Cross-Site Scripting via Shortcodes
https://notcve.org/view.php?id=CVE-2015-5714
Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags. Vulnerabilidad de XSS en WordPress en versiones anteriores a 4.3.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios aprovechando el manejo incorrecto de elementos HTML no cerrados durante el procesamiento de etiquetas acortadas. • http://www.debian.org/security/2015/dsa-3375 http://www.debian.org/security/2015/dsa-3383 http://www.securityfocus.com/bid/76745 http://www.securitytracker.com/id/1033979 https://codex.wordpress.org/Version_4.3.1 https://github.com/WordPress/WordPress/commit/f72b21af23da6b6d54208e5c1d65ececdaa109c8 https://security-tracker.debian.org/tracker/CVE-2015-5714 https://wordpress.org/news/2015/09/wordpress-4-3-1 https://wpvulndb.com/vulnerabilities/8186 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5730 – WordPress Core < 4.2.4 - Timing Side-Channel Attack
https://notcve.org/view.php?id=CVE-2015-5730
The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated. La función sanitize_widget_instance en wp-includes/class-wp-customize-widgets.php en WordPress en versiones anteriores a 4.2.4 no usa una comparación a tiempo constante para los widgets, lo que permite a atacantes remotos llevar a cabo un ataque de sincronización de canal lateral midiendo el retraso antes de que sea calculada la desigualdad. • http://openwall.com/lists/oss-security/2015/08/04/7 http://www.debian.org/security/2015/dsa-3332 http://www.securityfocus.com/bid/76160 http://www.securitytracker.com/id/1033178 https://codex.wordpress.org/Version_4.2.4 https://core.trac.wordpress.org/changeset/33535 https://core.trac.wordpress.org/changeset/33536 https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8130 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-208: Observable Timing Discrepancy •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2015-5731 – WordPress Core < 4.2.4 - Cross-Site Request Forgery to Post Lockage
https://notcve.org/view.php?id=CVE-2015-5731
Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action. Vulnerabilidad de CSRF en wp-admin/post.php en WordPress en versiones anteriores a 4.2.4 permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que bloquean una entrada, y por tanto causar una denegación de servicio (bloqueo de edición), a través de una acción get-post-lock. • http://openwall.com/lists/oss-security/2015/08/04/7 http://www.debian.org/security/2015/dsa-3332 http://www.debian.org/security/2015/dsa-3383 http://www.securityfocus.com/bid/76160 http://www.securitytracker.com/id/1033178 https://codex.wordpress.org/Version_4.2.4 https://core.trac.wordpress.org/changeset/33542 https://core.trac.wordpress.org/changeset/33543 https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-2213 – WordPress Core < 4.2.4 - SQL Injection
https://notcve.org/view.php?id=CVE-2015-2213
SQL injection vulnerability in the wp_untrash_post_comments function in wp-includes/post.php in WordPress before 4.2.4 allows remote attackers to execute arbitrary SQL commands via a comment that is mishandled after retrieval from the trash. Vulnerabilidad de inyección SQL en la función wp_untrash_post_comments en wp-includes/post.php en WordPress en versiones anteriores a 4.2.4 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de un comentario que no es manejado correctamente después de haber sido recuperado de la papelera de reciclaje. • http://openwall.com/lists/oss-security/2015/08/04/7 http://www.debian.org/security/2015/dsa-3332 http://www.debian.org/security/2015/dsa-3383 http://www.securityfocus.com/bid/76160 http://www.securitytracker.com/id/1033178 https://codex.wordpress.org/Version_4.2.4 https://core.trac.wordpress.org/changeset/33555 https://core.trac.wordpress.org/changeset/33556 https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release https://wpvulndb.com/ • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 1%CPEs: 1EXPL: 0CVE-2015-5732 – WordPress Core < 4.2.4 - Cross-Site Scripting via Widget Title
https://notcve.org/view.php?id=CVE-2015-5732
Cross-site scripting (XSS) vulnerability in the form function in the WP_Nav_Menu_Widget class in wp-includes/default-widgets.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a widget title. Vulnerabilidad de XSS en la función form en la clase WP_Nav_Menu_Widget en wp-includes/default-widgets.php en WordPress en versiones anteriores a 4.2.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un título de widget. • http://openwall.com/lists/oss-security/2015/08/04/7 http://www.debian.org/security/2015/dsa-3332 http://www.debian.org/security/2015/dsa-3383 http://www.securityfocus.com/bid/76160 http://www.securitytracker.com/id/1033178 https://codex.wordpress.org/Version_4.2.4 https://core.trac.wordpress.org/changeset/33529 https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8131 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •