Page 31 of 163 results (0.012 seconds)

CVSS: 8.8EPSS: 0%CPEs: 14EXPL: 0

wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message. wp-login.php en WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 podría permitir a atacantes remotos reconfigurar las contraseñas mediante el aprovechamiento del acceso a una cuenta de email que recibió un mensaje de reconfiguración de la contraseña. • http://advisories.mageia.org/MGASA-2014-0493.html http://core.trac.wordpress.org/changeset/30431 http://openwall.com/lists/oss-security/2014/11/25/12 http://www.debian.org/security/2014/dsa-3085 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securitytracker.com/id/1031243 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-254: 7PK - Security Features CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.4EPSS: 0%CPEs: 12EXPL: 0

Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en Press This en WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://advisories.mageia.org/MGASA-2014-0493.html http://openwall.com/lists/oss-security/2014/11/25/12 http://www.debian.org/security/2014/dsa-3085 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securityfocus.com/bid/71236 http://www.securitytracker.com/id/1031243 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 27%CPEs: 10EXPL: 2

wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016. wp-includes/class-phpass.php en WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 permite a atacantes remotos causar una denegación de servicio (consumo de CPU) a través de una contraseña larga que no se maneja debidamente durante la creación de hashes, un problema similar a CVE-2014-9016. A vulnerability present in Drupal versions prior to 7.34 and WordPress versions prior to 4.0.1 allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service). • https://www.exploit-db.com/exploits/35414 https://www.exploit-db.com/exploits/35413 http://advisories.mageia.org/MGASA-2014-0493.html http://core.trac.wordpress.org/changeset/30467 http://openwall.com/lists/oss-security/2014/11/25/12 http://www.debian.org/security/2014/dsa-3085 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securitytracker.com/id/1031243 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-19: Data Processing Errors CWE-400: Uncontrolled Resource Consumption •

CVSS: 6.4EPSS: 12%CPEs: 9EXPL: 0

Cross-site scripting (XSS) vulnerability in the wptexturize function in WordPress before 3.7.5, 3.8.x before 3.8.5, and 3.9.x before 3.9.3 allows remote attackers to inject arbitrary web script or HTML via crafted use of shortcode brackets in a text field, as demonstrated by a comment or a post. Vulnerabilidad de XSS en la función wptexturize en WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, y 3.9.x anterior a 3.9.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del uso manipulado de paréntesis de código corto en un campo de texto, tal y como fue demostrado por un comentario o un post. • http://advisories.mageia.org/MGASA-2014-0493.html http://klikki.fi/adv/wordpress.html http://openwall.com/lists/oss-security/2014/11/25/12 http://seclists.org/fulldisclosure/2014/Nov/62 http://www.debian.org/security/2014/dsa-3085 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securityfocus.com/bid/71237 http://www.securitytracker.com/id/1031243 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.1EPSS: 0%CPEs: 14EXPL: 0

WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash. WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 podría permitir a atacantes remotos obtener el acceso a una cuenta ociosa desde el 2008 mediante el aprovechamiento de una comparación indebida del tipo dinámico de PHP para un hash MD5. • http://advisories.mageia.org/MGASA-2014-0493.html http://openwall.com/lists/oss-security/2014/11/25/12 http://www.debian.org/security/2014/dsa-3085 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securitytracker.com/id/1031243 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-310: Cryptographic Issues CWE-916: Use of Password Hash With Insufficient Computational Effort •