Page 30 of 266 results (0.011 seconds)

CVSS: 4.3EPSS: 0%CPEs: 98EXPL: 0

WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. WordPress anterior a 3.7.2 y 3.8.x anterior a 3.8.2 permite a usuarios remotos autenticados publicar mensajes mediante el aprovechamiento del rol de Colaborador, relacionado con wp-admin/includes/post.php y wp-admin/includes/class-wp-posts-list-table.php. • http://codex.wordpress.org/Version_3.7.2 http://codex.wordpress.org/Version_3.8.2 http://core.trac.wordpress.org/changeset/27976 http://www.debian.org/security/2014/dsa-2901 https://bugzilla.redhat.com/show_bug.cgi?id=1085866 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •

CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 1

Cross-site request forgery (CSRF) vulnerability in the retrospam component in wp-admin/options-discussion.php in WordPress 2.0.11 and earlier allows remote attackers to hijack the authentication of administrators for requests that move comments to the moderation list. V ulnerabilidad Cross-site request forgery (CSRF) en el componente retrospam en wp-admin/options-discussion.php en WordPress 2.0.11 y anteriores permite a atacantes remotos secuestrar la autenticación de los administradores de las solicitudes que mueven comentarios a la moderación de la lista. • https://www.exploit-db.com/exploits/38924 http://seclists.org/fulldisclosure/2013/Dec/145 http://www.osvdb.org/101184 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.1EPSS: 0%CPEs: 21EXPL: 1

Cross-site scripting (XSS) vulnerability in platinum_seo_pack.php in the Platinum SEO plugin before 1.3.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. Vulnerabilidad XSS en platinum_seo_pack.php en el plugin Platinum SEO anterior a v1.3.8 para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través del parámetro "s". • http://osvdb.org/ref/97/platinum_seo.txt http://www.osvdb.org/97263 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1

wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. wp-admin/includes/post.php en WordPress anteriores a 3.6.1 permite a usuarios remotos autentificados falsear la autoría de una entrada aprovechando el rol Author y utilizando un parámetro user_ID modificado. • http://codex.wordpress.org/Version_3.6.1 http://core.trac.wordpress.org/changeset/25321 http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116828.html http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116832.html http://lists.fedoraproject.org/pipermail/package-announce/2013-September/117118.html http://wordpress.org/news/2013/09/wordpress-3-6-1 http://www.debian.org/security/2013/dsa-2757 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

The get_allowed_mime_types function in wp-includes/functions.php in WordPress before 3.6.1 does not require the unfiltered_html capability for uploads of .htm and .html files, which might make it easier for remote authenticated users to conduct cross-site scripting (XSS) attacks via a crafted file. La función get_allowed_mime_types en wp-includes/functions.php de WordPress anterior a 3.6.1 no requiere la capacidad unfiltered_html para subidas de ficheros .htm y .html lo cual podría facilitar a usuarios remotos autenticados realizar un ataque cross-site scripting (XSS) a través de un fichero manipulado • http://codex.wordpress.org/Version_3.6.1 http://core.trac.wordpress.org/changeset/25322 http://wordpress.org/news/2013/09/wordpress-3-6-1 http://www.debian.org/security/2013/dsa-2757 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •