Page 30 of 165 results (0.018 seconds)

CVSS: 8.1EPSS: 1%CPEs: 1EXPL: 0

WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. Las versiones anteriores a la 4.4 de WordPress facilitan que atacantes remotos puedan predecir tokens password-recovery mediante un ataque de fuerza bruta. • http://packetstormsecurity.com/files/130380/WordPress-Failed-Randomness.html http://seclists.org/fulldisclosure/2015/Feb/42 http://seclists.org/fulldisclosure/2015/Feb/53 http://www.securityfocus.com/bid/72589 http://www.securitytracker.com/id/1031749 https://bugzilla.redhat.com/show_bug.cgi?id=1192474 https://core.trac.wordpress.org/ticket/28633 • CWE-261: Weak Encoding for Password CWE-640: Weak Password Recovery Mechanism for Forgotten Password •

CVSS: 7.7EPSS: 0%CPEs: 10EXPL: 0

wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery (SSRF) attacks by referring to a 127.0.0.0/8 resource. wp-includes/http.php en WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 permite a atacantes remotos realizar ataques de CSRF mediante la referencia a un recurso 127.0.0.0/8. • http://advisories.mageia.org/MGASA-2014-0493.html http://openwall.com/lists/oss-security/2014/11/25/12 http://www.debian.org/security/2014/dsa-3085 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securitytracker.com/id/1031243 https://core.trac.wordpress.org/changeset/30444 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-20: Improper Input Validation CWE-918: Server-Side Request Forgery (SSRF) •

CVSS: 6.4EPSS: 0%CPEs: 12EXPL: 0

Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted Cascading Style Sheets (CSS) token sequence in a post. Vulnerabilidad de XSS en WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una secuencia manipulada de tokens de Cascading Style Sheets (CSS) en un post. • http://advisories.mageia.org/MGASA-2014-0493.html http://openwall.com/lists/oss-security/2014/11/25/12 http://www.debian.org/security/2014/dsa-3085 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securityfocus.com/bid/71236 http://www.securitytracker.com/id/1031243 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 14EXPL: 0

wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message. wp-login.php en WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 podría permitir a atacantes remotos reconfigurar las contraseñas mediante el aprovechamiento del acceso a una cuenta de email que recibió un mensaje de reconfiguración de la contraseña. • http://advisories.mageia.org/MGASA-2014-0493.html http://core.trac.wordpress.org/changeset/30431 http://openwall.com/lists/oss-security/2014/11/25/12 http://www.debian.org/security/2014/dsa-3085 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securitytracker.com/id/1031243 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-254: 7PK - Security Features CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.4EPSS: 0%CPEs: 12EXPL: 0

Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en Press This en WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://advisories.mageia.org/MGASA-2014-0493.html http://openwall.com/lists/oss-security/2014/11/25/12 http://www.debian.org/security/2014/dsa-3085 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securityfocus.com/bid/71236 http://www.securitytracker.com/id/1031243 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •