CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0CVE-2020-28040 – WordPress Core < 5.5.2 - Cross-Site Request Forgery to Theme Image Change
https://notcve.org/view.php?id=CVE-2020-28040
29 Oct 2020 — WordPress before 5.5.2 allows CSRF attacks that change a theme's background image. WordPress versiones anteriores a 5.5.2, permite ataques de tipo CSRF que cambian la imagen de fondo del tema Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to run insecure deserialization, embed spam, perform various Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks, escalate privileges, run arbitrary code, and delete arbitrary files. • https://blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2020-28033 – WordPress Core < 5.5.2 - Spam Embed on Multisite Installations
https://notcve.org/view.php?id=CVE-2020-28033
29 Oct 2020 — WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed. WordPress versiones anteriores a 5.5.2, maneja inapropiadamente las inserciones de sitios deshabilitados en una red multisitio, como es demostrado al permitir una inserción de spam Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to run insecure deserialization, embed spam, perform various Cross-Site Scripting (XSS) or Cross-Si... • https://lists.debian.org/debian-lts-announce/2020/11/msg00004.html • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-28036 – WordPress Core < 5.5.2 - Privilege Escalation via XML-RPC
https://notcve.org/view.php?id=CVE-2020-28036
29 Oct 2020 — wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post. El archivo wp-includes/class-wp-xmlrpc-server.php en WordPress versiones anteriores a 5.5.2, permite a atacantes conseguir privilegios mediante el uso de XML-RPC para comentar una publicación Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to run insecure deserialization, embed spam, perform various Cross-Site Scr... • https://github.com/WordPress/wordpress-develop/commit/c9e6b98968025b1629015998d12c3102165a7d32 • CWE-269: Improper Privilege Management CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-28035 – WordPress Core < 5.5.2 - Privilege Escalation via XML-RPC
https://notcve.org/view.php?id=CVE-2020-28035
29 Oct 2020 — WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC. WordPress versiones anteriores a 5.5.2, permite a atacantes conseguir privilegios por medio de XML-RPC Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to run insecure deserialization, embed spam, perform various Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks, escalate privileges, run arbitrary code, and delete arbitrary files. • https://lists.debian.org/debian-lts-announce/2020/11/msg00004.html • CWE-269: Improper Privilege Management •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 0CVE-2020-28034 – WordPress Core < 5.5.2 - Reflected Cross-Site Scripting via Global Variables
https://notcve.org/view.php?id=CVE-2020-28034
29 Oct 2020 — WordPress before 5.5.2 allows XSS associated with global variables. WordPress versiones anteriores a 5.5.2, permite un ataque de tipo XSS asociado con variables globales Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to run insecure deserialization, embed spam, perform various Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks, escalate privileges, run arbitrary code, and delete arbitrary files. • https://lists.debian.org/debian-lts-announce/2020/11/msg00004.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 5EXPL: 0CVE-2020-28037 – WordPress Core < 5.5.2 - Misconfiguration That Allows Trigger of New Installation
https://notcve.org/view.php?id=CVE-2020-28037
29 Oct 2020 — is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation). La función is_blog_installed en el archivo wp-includes/functions.php en WordPress versiones anteriores a 5.5.2, determina inapropiadamente si WordPress ya está instalado, lo que podría permitir a un atacante llevar a cabo un... • https://github.com/WordPress/wordpress-develop/commit/2ca15d1e5ce70493c5c0c096ca0c76503d6da07c • CWE-285: Improper Authorization CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 6.4EPSS: 2%CPEs: 6EXPL: 0CVE-2020-28038 – WordPress Core < 5.5.2 - Stored Cross-Site Scripting via post slugs
https://notcve.org/view.php?id=CVE-2020-28038
29 Oct 2020 — WordPress before 5.5.2 allows stored XSS via post slugs. WordPress versiones anteriores a 5.5.2, permite un ataque de tipo XSS almacenado por medio de slugs de publicaciones Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to run insecure deserialization, embed spam, perform various Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks, escalate privileges, run arbitrary code, and delete arbitrary files. • https://blog.ripstech.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 1%CPEs: 6EXPL: 1CVE-2020-28032 – WordPress Core < 5.5.2 - Deserialization Gadget
https://notcve.org/view.php?id=CVE-2020-28032
29 Oct 2020 — WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php. WordPress versiones anteriores a 5.5.2, maneja inapropiadamente las peticiones de deserialización en el archivo wp-includes/Requests/Utility/FilteredIterator.php Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to run insecure deserialization, embed spam, perform various Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks... • https://github.com/nth347/CVE-2020-28032_PoC • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2020-26596 – Elementor Pro <= 3.0.5 - Authenticated Remote Code Execution in Dynamic OOO Widget
https://notcve.org/view.php?id=CVE-2020-26596
06 Oct 2020 — The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role. El widget Dynamic OOO para el plugin Elementor Pro versiones hasta 3.0.5 para WordPress, permite a usuarios autenticados remotos ejecutar código arbitrario po... • https://elementor.com/pro/changelog • CWE-269: Improper Privilege Management •
CVSS: 5.4EPSS: 0%CPEs: 22EXPL: 0CVE-2020-4046 – Authenticated XSS through embed block in WordPress
https://notcve.org/view.php?id=CVE-2020-4046
10 Jun 2020 — In affected versions of WordPress, users with low privileges (like contributors and authors) can use the embed block in a certain way to inject unfiltered HTML in the block editor. When affected posts are viewed by a higher privileged user, this could lead to script execution in the editor/wp-admin. This has been patched in version 5.4.2, along with all the previously affected versions via a minor release (5.3.4, 5.2.7, 5.1.6, 5.0.10, 4.9.15, 4.8.14, 4.7.18, 4.6.19, 4.5.22, 4.4.23, 4.3.24, 4.2.28, 4.1.31, 4... • https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rpwf-hrh2-39jf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •