CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2015-8834 – WordPress Core < 4.2.2 - Cross-Site Scripting via Comments
https://notcve.org/view.php?id=CVE-2015-8834
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440. Vulnerabilidad de XSS en wp-includes/wp-db.php en WordPress en versiones anteriores a 4.2.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un comentario largo que se almacena de manera incorrecta debido a las limitaciones en el tipo de dato MySQL TEXT. NOTA: esta vulnerabilidad existe debido a una solución incompleta de CVE-2015-3440. • http://www.debian.org/security/2016/dsa-3639 https://codex.wordpress.org/Version_4.2.2 https://wordpress.org/news/2015/05/wordpress-4-2-2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 93%CPEs: 3EXPL: 4CVE-2015-3440 – WordPress Core < 4.2.1 - Cross-Site Scripting via Comments
https://notcve.org/view.php?id=CVE-2015-3440
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. Vulnerabilidad de XSS en wp-includes/wp-db.php en WordPress en versiones anteriores a 4.2.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un comentario largo que es almacenado indebidamente a causa de las limitaciones en el tipo de datos de MySQL TEXT. • https://www.exploit-db.com/exploits/36844 http://codex.wordpress.org/Version_4.2.1 http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157391.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158271.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158278.html http://osvdb.org/show/osvdb/121320 http://packetstormsecurity.com/files/131644/WordPress-4.2-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/Apr/84 http:/&# • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 2%CPEs: 3EXPL: 1CVE-2015-3438 – WordPress Core < 4.1.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2015-3438
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a (1) four-byte UTF-8 character or (2) invalid character that reaches the database layer, as demonstrated by a crafted character in a comment. Múltiples vulnerabilidades de XSS en WordPress en versiones anteriores a 4.1.2 cuando se utiliza MySQL sin modo estricto, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de un (1) carácter UTF-8 de cuatro bytes o (2) carácter no válido que alcanza la capa de la base de datos, según lo demostrado mediante un carácter manipulado en un comentario. • http://codex.wordpress.org/Version_4.1.2 http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157391.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158271.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158278.html http://www.debian.org/security/2015/dsa-3250 http://www.securityfocus.com/bid/74269 http://www.securitytracker.com/id/1032207 https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2 https://wordpress.org& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 3CVE-2015-3429 – Twenty Fifteen Theme <= 1.1 & WordPress Core < 4.2.2 - Cross-Site Scripting via example.html
https://notcve.org/view.php?id=CVE-2015-3429
Cross-site scripting (XSS) vulnerability in example.html in Genericons before 3.3.1, as used in WordPress before 4.2.2, allows remote attackers to inject arbitrary web script or HTML via a fragment identifier. Vulnerabilidad de XSS en example.html en Genericons anterior a 3.3.1, utilizado en WordPress anterior a 4.2.2, permite a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través de un identificador de fragmentos. WordPress Twenty Fifteen theme version 4.2.1 suffers from a cross site scripting vulnerability. • http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158271.html http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158278.html http://packetstormsecurity.com/files/131802/WordPress-Twenty-Fifteen-4.2.1-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/May/41 http://www.debian.org/security/2015/dsa-3328 http://www.securityfocus.com/archive/1/535486/100/1000/threaded http://www.securityfocus.com/bid/74534 https://github.com/Automattic/Genericons/comm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 1%CPEs: 1EXPL: 0CVE-2014-6412 – WordPress Core < 4.4 - Brute Force Password Recovery Tokens
https://notcve.org/view.php?id=CVE-2014-6412
WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. Las versiones anteriores a la 4.4 de WordPress facilitan que atacantes remotos puedan predecir tokens password-recovery mediante un ataque de fuerza bruta. • http://packetstormsecurity.com/files/130380/WordPress-Failed-Randomness.html http://seclists.org/fulldisclosure/2015/Feb/42 http://seclists.org/fulldisclosure/2015/Feb/53 http://www.securityfocus.com/bid/72589 http://www.securitytracker.com/id/1031749 https://bugzilla.redhat.com/show_bug.cgi?id=1192474 https://core.trac.wordpress.org/ticket/28633 • CWE-261: Weak Encoding for Password CWE-640: Weak Password Recovery Mechanism for Forgotten Password •