CVSS: 9.8EPSS: 19%CPEs: 3EXPL: 1CVE-2007-6013 – WordPress Core 1.5 - 2.3.1 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2007-6013
19 Nov 2007 — Wordpress 1.5 through 2.3.1 uses cookie values based on the MD5 hash of a password MD5 hash, which allows attackers to bypass authentication by obtaining the MD5 hash from the user database, then generating the authentication cookie from that hash. Wordpress versiones 1.5 hasta 2.3.1, usa valores de cookies basados ??en el hash MD5 de un hash MD5 de contraseñas, lo que permite a atacantes omitir la autenticación mediante la obtención del hash MD5 desde la base de datos del usuario, y luego generar la cookie... • http://lists.grok.org.uk/pipermail/full-disclosure/2007-November/058576.html • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2007-5710 – WordPress Core <= 2.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-5710
26 Oct 2007 — Cross-site scripting (XSS) vulnerability in wp-admin/edit-post-rows.php in WordPress 2.3 allows remote attackers to inject arbitrary web script or HTML via the posts_columns array parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en wp-admin/edit-post-rows.php en WordPress 2.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro array posts_columns. • https://www.exploit-db.com/exploits/30715 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 1%CPEs: 1EXPL: 1CVE-2007-5106 – WordPress Core < 2.0.4 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-5106
21 Sep 2007 — Cross-site scripting (XSS) vulnerability in wp-register.php in WordPress 2.0 allows remote attackers to inject arbitrary web script or HTML via the user_login parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en el wp-register.php del WordPress 2.0 permite a atacantes remotos la inyección de secuencias de comandos web o HTML de su elección a través del parámetro user_login. • http://blogsecurity.net/wordpress/2-vanilla-xss-on-wordpress-wp-registerphp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 18%CPEs: 2EXPL: 3CVE-2008-5695 – WordPress Core < 2.3.3 & WordPress MU < 1.3.2 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2008-5695
08 Sep 2007 — wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows remote authenticated users with manage_options and upload_files capabilities to execute arbitrary code by uploading a PHP script and adding this script's pathname to active_plugins. wp-admin/options.php en versiones de WordPress MU anteriores a la 1.3.2, y WordPress 2.3.2 y anteriores, no valida las solicitudes de actualización de una opción, lo que permit... • https://www.exploit-db.com/exploits/5066 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 1%CPEs: 38EXPL: 0CVE-2008-0664 – WordPress Core < 2.3.3 - Improper Authorization Checks
https://notcve.org/view.php?id=CVE-2008-0664
08 Sep 2007 — The XML-RPC implementation (xmlrpc.php) in WordPress before 2.3.3, when registration is enabled, allows remote attackers to edit posts of other blog users via unknown vectors. La implementación XML-RPC (xmlrpc.php) en versiones anteriores a WordPress 2.3.3, cuando el registro está activado, permite a atacantes remotos editar mensajes de otros usuarios del blog a través de vectores desconocidos. • http://secunia.com/advisories/28823 • CWE-264: Permissions, Privileges, and Access Controls CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.8EPSS: 0%CPEs: 31EXPL: 0CVE-2007-4894 – WordPress Core < 2.2.3 & WordPress MU < 1.2.5a - SQL Injection
https://notcve.org/view.php?id=CVE-2007-4894
08 Sep 2007 — Multiple SQL injection vulnerabilities in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a allow remote attackers to execute arbitrary SQL commands via the post_type parameter to the pingback.extensions.getPingbacks method in the XMLRPC interface, and other unspecified parameters related to "early database escaping" and missing validation of "query string like parameters." Múltiples vulnerabilidades de inyección SQL en Wordpress versiones anteriores a 2.2.3 y Wordpress multi-user (MU) vers... • http://fedoranews.org/updates/FEDORA-2007-214.shtml • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 24EXPL: 3CVE-2007-6318 – WordPress Core < 2.3.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2007-6318
08 Sep 2007 — SQL injection vulnerability in wp-includes/query.php in WordPress 2.3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the s parameter, when DB_CHARSET is set to (1) Big5, (2) GBK, or possibly other character set encodings that support a "\" in a multibyte character. Vulnerabilidad de inyección SQL en wp-includes/query.php en WordPress 2.3.1 y anteriores permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro s, cuando DB_CHARSET está asignado en (1... • https://www.exploit-db.com/exploits/4721 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.1EPSS: 1%CPEs: 47EXPL: 2CVE-2008-2146 – WordPress Core < 2.2.3 - Restriction Bypass
https://notcve.org/view.php?id=CVE-2008-2146
08 Sep 2007 — wp-includes/vars.php in Wordpress before 2.2.3 does not properly extract the current path from the PATH_INFO ($PHP_SELF), which allows remote attackers to bypass intended access restrictions for certain pages. El archivo wp-incluye/vars.php en Wordpress versiones anteriores a 2.2.3, no extrae apropiadamente la ruta (path) actual del PATH_INFO ($PHP_SELF), que permite a atacantes remotos omitir las restricciones de acceso previstas para ciertas páginas. • http://osvdb.org/45188 • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •
CVSS: 6.4EPSS: 0%CPEs: 31EXPL: 0CVE-2007-4893 – WordPress Core <= 2.2.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-4893
05 Aug 2007 — wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_html privilege, which allows remote attackers to conduct cross-site scripting (XSS) attacks via modified data to (1) post.php or (2) page.php with a no_filter field. wp-admin/admin-functions.php de Wordpress versiones anteriores a 2.2.3 y Wordpress multi-user (MU) versiones anteriores a 1.2.5a no verifican apropiadamente el privilegio unfiltered_html, lo cual permite a a... • http://fedoranews.org/updates/FEDORA-2007-214.shtml • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2007-4154 – WordPress Core <= 2.2.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2007-4154
03 Aug 2007 — SQL injection vulnerability in options.php in WordPress 2.2.1 allows remote authenticated administrators to execute arbitrary SQL commands via the page_options parameter to (1) options-general.php, (2) options-writing.php, (3) options-reading.php, (4) options-discussion.php, (5) options-privacy.php, (6) options-permalink.php, (7) options-misc.php, and possibly other unspecified components. Vulnerabilidad de inyección SQL en options.php de WordPress 2.2.1 permite a administradores autenticados remotamente ej... • http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •