CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2007-1230 – WordPress Core <= 2.1.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-1230
02 Mar 2007 — Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/functions.php in WordPress before 2.1.2-alpha allow remote attackers to inject arbitrary web script or HTML via (1) the Referer HTTP header or (2) the URI, a different vulnerability than CVE-2007-1049. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en wp_includes/functions.php de WordPress anterior a 2.1.2-alpha permiten a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de (... • http://osvdb.org/34361 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.2EPSS: 4%CPEs: 1EXPL: 2CVE-2007-1244 – WordPress Core <= 2.1.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-1244
02 Mar 2007 — Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privileged actions as administrators, as demonstrated using the delete action in wp-admin/post.php. NOTE: this issue can be leveraged to perform cross-site scripting (XSS) attacks and steal cookies via the post parameter. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en el AdminPanel en WordPress 2.1.1 y anteriores permite a atacantes remotos realizar ac... • https://www.exploit-db.com/exploits/29682 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 1%CPEs: 23EXPL: 2CVE-2007-1049 – WordPress Core < 2.09 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-1049
21 Feb 2007 — Cross-site scripting (XSS) vulnerability in the wp_explain_nonce function in the nonce AYS functionality (wp-includes/functions.php) for WordPress 2.0 before 2.0.9 and 2.1 before 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the file parameter to wp-admin/templates.php, and possibly other vectors involving the action variable. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la función wp_explain_nonce de la funcionalidad nonce AYS (wp-includes/functions.php) p... • https://www.exploit-db.com/exploits/29598 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2011-0700 – WordPress Core <= 3.0.4 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-0700
11 Feb 2007 — Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, and (5) escaping of tags within the tags meta box. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Wordpress en versiones anteriores a v3.0.5, permite a atacantes remotos inyect... • http://codex.wordpress.org/Version_3.0.5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 5%CPEs: 1EXPL: 1CVE-2007-0540 – WordPress Core 1.x/2.0.x - Pingback SourceURI Denial of Service / Information Disclosure
https://notcve.org/view.php?id=CVE-2007-0540
29 Jan 2007 — WordPress allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a file with a binary content type, which is downloaded even though it cannot contain usable pingback data. WordPress permite a atacantes remotos provocar una denegación de servicio (agotamiento de ancho de banda o hilos) mediante llamadas al servicio de pingback con un URI origen que corresponde a un archivo con un tipo de contenido binario, que es... • https://www.exploit-db.com/exploits/29522 •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2007-0541 – WordPress Core < 2.1 - Directory Traversal
https://notcve.org/view.php?id=CVE-2007-0541
24 Jan 2007 — WordPress allows remote attackers to determine the existence of arbitrary files, and possibly read portions of certain files, via pingback service calls with a source URI that corresponds to a local pathname, which triggers different fault codes for existing and non-existing files, and in certain configurations causes a brief file excerpt to be published as a blog comment. WordPress permite a atacantes remotos determinar la existencia de archivos de su elección, y posiblemente leer porciones de determinados... • http://securityreason.com/securityalert/2191 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2008-0195 – WordPress Core < 2.1 - Full Path Disclosure
https://notcve.org/view.php?id=CVE-2008-0195
22 Jan 2007 — WordPress 2.0.11 and earlier allows remote attackers to obtain sensitive information via an empty value of the page parameter to certain PHP scripts under wp-admin/, which reveals the path in various error messages. WordPress 2.0.11 y anteriores permite a atacantes remotos obtener información sensible mediante un valor vacío del parámetro page a ciertas secuencias de comandos PHP bajo wp-admin/, lo cual revela la ruta en varios mensajes de error. • http://lists.grok.org.uk/pipermail/full-disclosure/2008-January/059439.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2007-0539 – WordPress Core < 2.1 - Denial of Service
https://notcve.org/view.php?id=CVE-2007-0539
22 Jan 2007 — The wp_remote_fopen function in WordPress before 2.1 allows remote attackers to cause a denial of service (bandwidth or thread consumption) via pingback service calls with a source URI that corresponds to a large file, which triggers a long download session without a timeout constraint. La función wp_remote_fopen en WordPress anterior a versión 2.1 permite a los atacantes remotos causar una denegación de servicio (ancho de banda o consumo del hilo) por medio de llamadas de servicio pingback con un URI fuent... • http://securityreason.com/securityalert/2191 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2007-0262 – WordPress Core < 2.0.7 - Full Path Disclosure
https://notcve.org/view.php?id=CVE-2007-0262
15 Jan 2007 — WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid m[] parameter, as demonstrated by obtaining the path, and obtaining certain SQL information such as the table prefix. WordPress 2.0.6, y 2.1Alpha 3 (SVN:4662), no verifican apropiadamente que el valor del parámetro m tiene el tipo de datos string, lo cual permite a atacantes remotos obtener información confidenc... • http://osvdb.org/33458 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 4%CPEs: 19EXPL: 1CVE-2007-0233 – WordPress Core < 2.0.7 - SQL Injection
https://notcve.org/view.php?id=CVE-2007-0233
13 Jan 2007 — wp-trackback.php in WordPress 2.0.6 and earlier does not properly unset variables when the input data includes a numeric parameter with a value matching an alphanumeric parameter's hash value, which allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. NOTE: it could be argued that this vulnerability is due to a bug in the unset PHP command (CVE-2006-3017) and the proper fix should be in PHP; if so, then this should not be treated as a vulnerability in WordPress. wp-trackback.ph... • https://www.exploit-db.com/exploits/3109 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •