CVE-2015-5731 – WordPress Core < 4.2.4 - Cross-Site Request Forgery to Post Lockage
https://notcve.org/view.php?id=CVE-2015-5731
Cross-site request forgery (CSRF) vulnerability in wp-admin/post.php in WordPress before 4.2.4 allows remote attackers to hijack the authentication of administrators for requests that lock a post, and consequently cause a denial of service (editing blockage), via a get-post-lock action. Vulnerabilidad de CSRF en wp-admin/post.php en WordPress en versiones anteriores a 4.2.4 permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que bloquean una entrada, y por tanto causar una denegación de servicio (bloqueo de edición), a través de una acción get-post-lock. • http://openwall.com/lists/oss-security/2015/08/04/7 http://www.debian.org/security/2015/dsa-3332 http://www.debian.org/security/2015/dsa-3383 http://www.securityfocus.com/bid/76160 http://www.securitytracker.com/id/1033178 https://codex.wordpress.org/Version_4.2.4 https://core.trac.wordpress.org/changeset/33542 https://core.trac.wordpress.org/changeset/33543 https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2015-5732 – WordPress Core < 4.2.4 - Cross-Site Scripting via Widget Title
https://notcve.org/view.php?id=CVE-2015-5732
Cross-site scripting (XSS) vulnerability in the form function in the WP_Nav_Menu_Widget class in wp-includes/default-widgets.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a widget title. Vulnerabilidad de XSS en la función form en la clase WP_Nav_Menu_Widget en wp-includes/default-widgets.php en WordPress en versiones anteriores a 4.2.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un título de widget. • http://openwall.com/lists/oss-security/2015/08/04/7 http://www.debian.org/security/2015/dsa-3332 http://www.debian.org/security/2015/dsa-3383 http://www.securityfocus.com/bid/76160 http://www.securitytracker.com/id/1033178 https://codex.wordpress.org/Version_4.2.4 https://core.trac.wordpress.org/changeset/33529 https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8131 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-5733 – WordPress Core < 4.2.4 - Stored Cross-Site Scripting via accessibility-helper Title
https://notcve.org/view.php?id=CVE-2015-5733
Cross-site scripting (XSS) vulnerability in the refreshAdvancedAccessibilityOfItem function in wp-admin/js/nav-menu.js in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via an accessibility-helper title. Vulnerabilidad de XSS en la función refreshAdvancedAccessibilityOfItem en wp-admin/js/nav-menu.js en WordPress en versiones anteriores a 4.2.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un título de asistente de accesibilidad. • http://openwall.com/lists/oss-security/2015/08/04/7 http://www.securityfocus.com/bid/76331 http://www.securitytracker.com/id/1033178 https://codex.wordpress.org/Version_4.2.4 https://core.trac.wordpress.org/changeset/33540 https://core.trac.wordpress.org/changeset/33541 https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release https://wpvulndb.com/vulnerabilities/8132 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-5734 – WordPress Core < 4.2.4 - Cross-Site Scripting in Theme Preview
https://notcve.org/view.php?id=CVE-2015-5734
Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string. Vulnerabilidad de XSS en la implementación legacy theme preview en wp-includes/theme.php en WordPress en versiones anteriores a 4.2.4 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una cadena manipulada. • http://openwall.com/lists/oss-security/2015/08/04/7 http://www.debian.org/security/2015/dsa-3332 http://www.debian.org/security/2015/dsa-3383 http://www.securityfocus.com/bid/76331 http://www.securitytracker.com/id/1033178 https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html https://codex.wordpress.org/Version_4.2.4 https://core.trac.wordpress.org/changeset/33549 https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-mainte • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2015-5623 – WordPress Core < 4.2.3 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2015-5623
WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php. Vulnerabilidad en WordPress en versiones anteriores a 4.2.3, no verifica adecuadamente la capacidad de edit_posts, lo que permite a usuarios remotos autenticados eludir las restricciones destinadas al acceso y crear borradores mediante el aprovechamiento del rol Subscriber, según lo demostrado por una acción post-quickdraft-save a wp-admin/post.php. • http://codex.wordpress.org/Version_4.2.3 http://openwall.com/lists/oss-security/2015/07/23/18 http://www.debian.org/security/2015/dsa-3328 http://www.securityfocus.com/bid/76011 http://www.securitytracker.com/id/1033037 https://core.trac.wordpress.org/changeset/33357 https://wordpress.org/news/2015/07/wordpress-4-2-3 https://wpvulndb.com/vulnerabilities/8111 • CWE-284: Improper Access Control CWE-862: Missing Authorization •