CVE-2022-21661 – SQL injection in WordPress
https://notcve.org/view.php?id=CVE-2022-21661
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. • https://www.exploit-db.com/exploits/50663 https://github.com/z92g/CVE-2022-21661 https://github.com/0x4E0x650x6F/Wordpress-cve-CVE-2022-21661 https://github.com/safe3s/CVE-2022-21661 https://github.com/purple-WL/wordpress-CVE-2022-21661 https://github.com/guestzz/CVE-2022-21661 https://github.com/TAPESH-TEAM/CVE-2022-21661-WordPress-Core-5.8.2-WP_Query-SQL-Injection https://github.com/WellingtonEspindula/SSI-CVE-2022-21661 https://github.com/sealldeveloper/CVE-2022-21661-PoC& • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-28032 – WordPress Core < 5.5.2 - Deserialization Gadget
https://notcve.org/view.php?id=CVE-2020-28032
WordPress before 5.5.2 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php. WordPress versiones anteriores a 5.5.2, maneja inapropiadamente las peticiones de deserialización en el archivo wp-includes/Requests/Utility/FilteredIterator.php • https://github.com/WordPress/wordpress-develop/commit/add6bedf3a53b647d0ebda2970057912d3cd79d3 https://lists.debian.org/debian-lts-announce/2020/11/msg00004.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAVVYJKA2I6CRQUINECDPBGWMQDEG244 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUXVUAKL2HL4QYJEPHBNVQQWRMFMII2Y https://wordpress.org • CWE-502: Deserialization of Untrusted Data •
CVE-2020-28033 – WordPress Core < 5.5.2 - Spam Embed on Multisite Installations
https://notcve.org/view.php?id=CVE-2020-28033
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed. WordPress versiones anteriores a 5.5.2, maneja inapropiadamente las inserciones de sitios deshabilitados en una red multisitio, como es demostrado al permitir una inserción de spam • https://lists.debian.org/debian-lts-announce/2020/11/msg00004.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAVVYJKA2I6CRQUINECDPBGWMQDEG244 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUXVUAKL2HL4QYJEPHBNVQQWRMFMII2Y https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release https://www. • CWE-345: Insufficient Verification of Data Authenticity •
CVE-2020-28034 – WordPress Core < 5.5.2 - Reflected Cross-Site Scripting via Global Variables
https://notcve.org/view.php?id=CVE-2020-28034
WordPress before 5.5.2 allows XSS associated with global variables. WordPress versiones anteriores a 5.5.2, permite un ataque de tipo XSS asociado con variables globales • https://lists.debian.org/debian-lts-announce/2020/11/msg00004.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAVVYJKA2I6CRQUINECDPBGWMQDEG244 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUXVUAKL2HL4QYJEPHBNVQQWRMFMII2Y https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release https://www. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-28035 – WordPress Core < 5.5.2 - Privilege Escalation via XML-RPC
https://notcve.org/view.php?id=CVE-2020-28035
WordPress before 5.5.2 allows attackers to gain privileges via XML-RPC. WordPress versiones anteriores a 5.5.2, permite a atacantes conseguir privilegios por medio de XML-RPC • https://lists.debian.org/debian-lts-announce/2020/11/msg00004.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAVVYJKA2I6CRQUINECDPBGWMQDEG244 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUXVUAKL2HL4QYJEPHBNVQQWRMFMII2Y https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release https://www. • CWE-269: Improper Privilege Management •