CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2014-9032 – WordPress Core < 4.0.1 - Cross-Site Scripting via media-playlists
https://notcve.org/view.php?id=CVE-2014-9032
Cross-site scripting (XSS) vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en la caracteristica media-playlists en WordPress anterior a 3.9.x anterior a 3.9.3 y 4.x anterior a 4.0.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://advisories.mageia.org/MGASA-2014-0493.html http://openwall.com/lists/oss-security/2014/11/25/12 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securityfocus.com/bid/71236 http://www.securitytracker.com/id/1031243 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 29%CPEs: 10EXPL: 2CVE-2014-9034 – WordPress Core < 4.0.1 - Denial of Service via Long Password
https://notcve.org/view.php?id=CVE-2014-9034
wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016. wp-includes/class-phpass.php en WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 permite a atacantes remotos causar una denegación de servicio (consumo de CPU) a través de una contraseña larga que no se maneja debidamente durante la creación de hashes, un problema similar a CVE-2014-9016. A vulnerability present in Drupal versions prior to 7.34 and WordPress versions prior to 4.0.1 allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service). • https://www.exploit-db.com/exploits/35414 https://www.exploit-db.com/exploits/35413 http://advisories.mageia.org/MGASA-2014-0493.html http://core.trac.wordpress.org/changeset/30467 http://openwall.com/lists/oss-security/2014/11/25/12 http://www.debian.org/security/2014/dsa-3085 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securitytracker.com/id/1031243 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-19: Data Processing Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.4EPSS: 0%CPEs: 12EXPL: 0CVE-2014-9035 – WordPress Core < 4.0.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-9035
Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de XSS en Press This en WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados. • http://advisories.mageia.org/MGASA-2014-0493.html http://openwall.com/lists/oss-security/2014/11/25/12 http://www.debian.org/security/2014/dsa-3085 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securityfocus.com/bid/71236 http://www.securitytracker.com/id/1031243 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 12EXPL: 0CVE-2014-9036 – WordPress Core < 4.0.1 - Cross-Site Scripting via CSS
https://notcve.org/view.php?id=CVE-2014-9036
Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted Cascading Style Sheets (CSS) token sequence in a post. Vulnerabilidad de XSS en WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de una secuencia manipulada de tokens de Cascading Style Sheets (CSS) en un post. • http://advisories.mageia.org/MGASA-2014-0493.html http://openwall.com/lists/oss-security/2014/11/25/12 http://www.debian.org/security/2014/dsa-3085 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securityfocus.com/bid/71236 http://www.securitytracker.com/id/1031243 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 14EXPL: 0CVE-2014-9037 – Wordpress Core < 4.0.1 - Hash Collision
https://notcve.org/view.php?id=CVE-2014-9037
WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash. WordPress anterior a 3.7.5, 3.8.x anterior a 3.8.5, 3.9.x anterior a 3.9.3, y 4.x anterior a 4.0.1 podría permitir a atacantes remotos obtener el acceso a una cuenta ociosa desde el 2008 mediante el aprovechamiento de una comparación indebida del tipo dinámico de PHP para un hash MD5. • http://advisories.mageia.org/MGASA-2014-0493.html http://openwall.com/lists/oss-security/2014/11/25/12 http://www.debian.org/security/2014/dsa-3085 http://www.mandriva.com/security/advisories?name=MDVSA-2014:233 http://www.securitytracker.com/id/1031243 https://wordpress.org/news/2014/11/wordpress-4-0-1 • CWE-310: Cryptographic Issues CWE-916: Use of Password Hash With Insufficient Computational Effort •