CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 0CVE-2007-3639 – WordPress Core < 2.2.2 - Open Redirect
https://notcve.org/view.php?id=CVE-2007-3639
10 Jul 2007 — WordPress before 2.2.2 allows remote attackers to redirect visitors to other websites and potentially obtain sensitive information via (1) the _wp_http_referer parameter to wp-pass.php, related to the wp_get_referer function in wp-includes/functions.php; and possibly other vectors related to (2) wp-includes/pluggable.php and (3) the wp_nonce_ays function in wp-includes/functions.php. WordPress anterior a 2.2.2 permite a atacantes remotos redireccionar a los vistantes a otros sitios web y potencialmente obte... • http://osvdb.org/40802 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2007-3543 – WordPress Core <= 2.2 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2007-3543
03 Jul 2007 — Unrestricted file upload vulnerability in WordPress before 2.2.1 and WordPress MU before 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code by making a post that specifies a .php filename in the _wp_attached_file metadata field; and then sending this file's content, along with its post_ID value, to (1) wp-app.php or (2) app.php. Vulnerabilidad de fichero de archivo no restringido en WordPress anterior a 2.2.1 y WordPress MU anterior a 1.2.3 permite a usuarios autenticados remot... • http://osvdb.org/37295 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2007-3544 – WordPress Core <= 2.2.1 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2007-3544
03 Jul 2007 — Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.php in WordPress 2.2.1 and WordPress MU 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code via unspecified vectors, possibly related to the wp_postmeta table and the use of custom fields in normal (non-attachment) posts. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-3543. Vulnerabilidad e envío de archivo no restringido en (1) wp-app.php y (2) app.php de WordPresss 2.2.1 y WordPr... • http://osvdb.org/37294 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.0EPSS: 1%CPEs: 1EXPL: 0CVE-2007-3238
https://notcve.org/view.php?id=CVE-2007-3238
15 Jun 2007 — Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php, a different vulnerability than CVE-2007-1622. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en functions.php en el tema po... • http://blogsecurity.net/wordpress/news/news-100607-1 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3241 – Cordobo Green Park (All Versions) - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-3241
15 Jun 2007 — Cross-site scripting (XSS) vulnerability in blogroll.php in the cordobo-green-park theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en blogroll.php en el tema cordobo-green-park para WordPress permite a atacantes remotos inyectar scripts web o HTML de su elección mediante la porción PHP_SELF de un URI. • http://osvdb.org/36817 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3240 – Vistered Little (Unspecified Version) - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-3240
14 Jun 2007 — Cross-site scripting (XSS) vulnerability in 404.php in the Vistered-Little theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI (REQUEST_URI) that accesses index.php. NOTE: this can be leveraged for PHP code execution in an administrative session. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en 404.php en el tema Vistered-Little para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del URI(REQUEST_URI) que... • http://osvdb.org/37441 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 2%CPEs: 1EXPL: 1CVE-2007-3140 – WordPress Core <= 2.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2007-3140
08 Jun 2007 — SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parameter value in an XML RPC wp.suggestCategories methodCall, a different vector than CVE-2007-1897. Vulnerabilidad de inyección SQL en xmlrpc.php de WordPress 2.2 permite a usuarios remotos autenticados ejecutar comandos SQL de su elección a través de un valor de parámetro en una llamada de método XML RPC wp.suggestCategories, vector distinto de CVE-2007-1897. • https://www.exploit-db.com/exploits/4039 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-3239 – AndyBlue Theme < 1.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-3239
08 Jun 2007 — Cross-site scripting (XSS) vulnerability in searchform.php in the AndyBlue theme before 20070607 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to index.php. NOTE: this can be leveraged for PHP code execution in an administrative session. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en searchform.php en el tema AndyBlue versiones anteriores a 20070607 para WordPress permite a atacantes remotos inyectar scripts web o HTML de... • http://osvdb.org/36379 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 5%CPEs: 1EXPL: 3CVE-2007-2821 – WordPress Core 2.1.3 - 'admin-ajax.php' SQL Injection Blind Fishing
https://notcve.org/view.php?id=CVE-2007-2821
22 May 2007 — SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. Vulnerabilidad de inyección SQL en wp-admin/admin-ajax.php en WordPress anterior a 2.2 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro cookie. • https://www.exploit-db.com/exploits/3960 •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-1893 – WordPress Core < 2.1.3 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2007-1893
03 Apr 2007 — xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intended access restrictions and invoke the publish_posts functionality, which can be used to "publish a previously saved post." xmlrpc (xmlrpc.php) en WordPress versión 2.1.2, y probablemente anteriores, permite a usuarios autenticados remotos con el rol de colaborador omitir las restricciones de acceso previstas e invocar la funcionalidad publish_posts, que puede ser usada pa... • http://secunia.com/advisories/24751 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •