Page 31 of 260 results (0.004 seconds)

CVSS: 8.8EPSS: 10%CPEs: 1EXPL: 1

CVE-2013-4338 – WordPress Core < 3.6.1 - Deserialization

https://notcve.org/view.php?id=CVE-2013-4338

wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations. wp-includes/functions.php en WordPress anterior a 3.6.1 no determina apropiadamente si los datos han sido serializados lo que permite a usuarios remotos ejecutar codigo arbitrario lanzando operaciones PHP erróneas de deserialización • http://codex.wordpress.org/Version_3.6.1 http://core.trac.wordpress.org/changeset/25325 http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116828.html http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116832.html http://lists.fedoraproject.org/pipermail/package-announce/2013-September/117118.html http://wordpress.org/news/2013/09/wordpress-3-6-1 http://www.debian.org/security/2013/dsa-2757 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •

CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 2

CVE-2013-4339 – WordPress Core < 3.6.1 - Open Redirect

https://notcve.org/view.php?id=CVE-2013-4339

WordPress before 3.6.1 does not properly validate URLs before use in an HTTP redirect, which allows remote attackers to bypass intended redirection restrictions via a crafted string. WordPress anterior a v3.6.1 no valida adecuadamente las URLs antes de su uso en una redirección HTTP, lo que permite a atacantes remotos evitar las restricciones establecidas a las redirecciones a través de una cadena hecha mano. WordPress version 3.6 suffers from multiple URL redirection restriction bypass vulnerabilities. • http://codex.wordpress.org/Version_3.6.1 http://core.trac.wordpress.org/changeset/25323 http://core.trac.wordpress.org/changeset/25324 http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116828.html http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116832.html http://lists.fedoraproject.org/pipermail/package-announce/2013-September/117118.html http://seclists.org/fulldisclosure/2013/Dec/174 http://wordpress.org/news/2013/09/wordpress-3-6-1 http:/ • CWE-20: Improper Input Validation CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1

CVE-2013-4340 – WordPress Core < 3.6.1 - Spoof Post Authorship

https://notcve.org/view.php?id=CVE-2013-4340

wp-admin/includes/post.php in WordPress before 3.6.1 allows remote authenticated users to spoof the authorship of a post by leveraging the Author role and providing a modified user_ID parameter. wp-admin/includes/post.php en WordPress anteriores a 3.6.1 permite a usuarios remotos autentificados falsear la autoría de una entrada aprovechando el rol Author y utilizando un parámetro user_ID modificado. • http://codex.wordpress.org/Version_3.6.1 http://core.trac.wordpress.org/changeset/25321 http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116828.html http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116832.html http://lists.fedoraproject.org/pipermail/package-announce/2013-September/117118.html http://wordpress.org/news/2013/09/wordpress-3-6-1 http://www.debian.org/security/2013/dsa-2757 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •

CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0

CVE-2013-3491 – Sharebar <= 1.4.2 - Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2013-3491

Multiple cross-site request forgery (CSRF) vulnerabilities in the Sharebar plugin 1.2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) modify buttons, or (3) insert cross-site scripting (XSS) sequences. Múltiple vulnerabilidades CSRF (cross-site request forgery) en el plugin Sharebar v1.2.5 para WordPress permite a atacantes remotos secuentrar la autenticacion de administrador para solicitudes que (1) añaden o (2) modifican botones, o (3) insertar sencuencias XSS (cross-site scripting) Multiple cross-site request forgery (CSRF) vulnerabilities in the Sharebar plugin 1.4.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) add or (2) modify buttons, or (3) insert cross-site scripting (XSS) sequences. • http://secunia.com/advisories/52948 http://www.securityfocus.com/bid/60956 https://exchange.xforce.ibmcloud.com/vulnerabilities/85438 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 5.4EPSS: 0%CPEs: 77EXPL: 0

CVE-2013-2199 – WordPress Core < 3.5.2 - Server Side Request Forgery

https://notcve.org/view.php?id=CVE-2013-2199

The HTTP API in WordPress before 3.5.2 allows remote attackers to send HTTP requests to intranet servers via unspecified vectors, related to a Server-Side Request Forgery (SSRF) issue, a similar vulnerability to CVE-2013-0235. La HTTP API en WordPress anteriores a v3.5.2 permite a atacantes remotos enviar peticiones HTTP a los servidores de la intranet a través de vectores no especificados, relacionado con peticiones manipuladas del lado del servidor (Server-Side Request Forgery (SSRF)), es similar a CVE-2013-0235. • http://codex.wordpress.org/Version_3.5.2 http://wordpress.org/news/2013/06/wordpress-3-5-2 http://www.debian.org/security/2013/dsa-2718 https://bugzilla.redhat.com/show_bug.cgi?id=976784 • CWE-264: Permissions, Privileges, and Access Controls CWE-918: Server-Side Request Forgery (SSRF) •