CVSS: 5.5EPSS: 1%CPEs: 1EXPL: 0CVE-2015-5732 – WordPress Core < 4.2.4 - Cross-Site Scripting via Widget Title
https://notcve.org/view.php?id=CVE-2015-5732
Cross-site scripting (XSS) vulnerability in the form function in the WP_Nav_Menu_Widget class in wp-includes/default-widgets.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a widget title. Vulnerabilidad de XSS en la función form en la clase WP_Nav_Menu_Widget en wp-includes/default-widgets.php en WordPress en versiones anteriores a 4.2.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un título de widget. • http://openwall.com/lists/oss-security/2015/08/04/7 http://www.debian.org/security/2015/dsa-3332 http://www.debian.org/security/2015/dsa-3383 http://www.securityfocus.com/bid/76160 http://www.securitytracker.com/id/1033178 https://codex.wordpress.org/Version_4.2.4 https://core.trac.wordpress.org/changeset/33529 https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8131 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2015-5734 – WordPress Core < 4.2.4 - Cross-Site Scripting in Theme Preview
https://notcve.org/view.php?id=CVE-2015-5734
Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string. Vulnerabilidad de XSS en la implementación legacy theme preview en wp-includes/theme.php en WordPress en versiones anteriores a 4.2.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una cadena manipulada. • http://openwall.com/lists/oss-security/2015/08/04/7 http://www.debian.org/security/2015/dsa-3332 http://www.debian.org/security/2015/dsa-3383 http://www.securityfocus.com/bid/76331 http://www.securitytracker.com/id/1033178 https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html https://codex.wordpress.org/Version_4.2.4 https://core.trac.wordpress.org/changeset/33549 https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-mainte • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-2213 – WordPress Core < 4.2.4 - SQL Injection
https://notcve.org/view.php?id=CVE-2015-2213
SQL injection vulnerability in the wp_untrash_post_comments function in wp-includes/post.php in WordPress before 4.2.4 allows remote attackers to execute arbitrary SQL commands via a comment that is mishandled after retrieval from the trash. Vulnerabilidad de inyección SQL en la función wp_untrash_post_comments en wp-includes/post.php en WordPress en versiones anteriores a 4.2.4 permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de un comentario que no es manejado correctamente después de haber sido recuperado de la papelera de reciclaje. • http://openwall.com/lists/oss-security/2015/08/04/7 http://www.debian.org/security/2015/dsa-3332 http://www.debian.org/security/2015/dsa-3383 http://www.securityfocus.com/bid/76160 http://www.securitytracker.com/id/1033178 https://codex.wordpress.org/Version_4.2.4 https://core.trac.wordpress.org/changeset/33555 https://core.trac.wordpress.org/changeset/33556 https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release https://wpvulndb.com/ • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2015-5622 – WordPress Core < 4.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2015-5622
Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.php. Vulnerabilidad de XSS en WordPress en versiones anteriores a 4.2.3, permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través del aprovechamiento del rol de Author o Contributor para colocar un código corto manipulado dentro de un elemento HTML, relacionado con wp-includes/kses.php y wp-includes/shortcodes.php. • http://codex.wordpress.org/Version_4.2.3 http://openwall.com/lists/oss-security/2015/07/23/18 http://www.debian.org/security/2015/dsa-3328 http://www.debian.org/security/2015/dsa-3332 http://www.debian.org/security/2015/dsa-3383 http://www.securityfocus.com/bid/76011 http://www.securitytracker.com/id/1033037 https://core.trac.wordpress.org/changeset/33359 https://klikki.fi/adv/wordpress3.html https://wordpress.org/news/2015/07/wordpress-4-2-3 https:/& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2015-5623 – WordPress Core < 4.2.3 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2015-5623
WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php. Vulnerabilidad en WordPress en versiones anteriores a 4.2.3, no verifica adecuadamente la capacidad de edit_posts, lo que permite a usuarios remotos autenticados eludir las restricciones destinadas al acceso y crear borradores mediante el aprovechamiento del rol Subscriber, según lo demostrado por una acción post-quickdraft-save a wp-admin/post.php. • http://codex.wordpress.org/Version_4.2.3 http://openwall.com/lists/oss-security/2015/07/23/18 http://www.debian.org/security/2015/dsa-3328 http://www.securityfocus.com/bid/76011 http://www.securitytracker.com/id/1033037 https://core.trac.wordpress.org/changeset/33357 https://wordpress.org/news/2015/07/wordpress-4-2-3 https://wpvulndb.com/vulnerabilities/8111 • CWE-284: Improper Access Control CWE-862: Missing Authorization •