Page 31 of 221 results (0.007 seconds)

CVSS: 8.8EPSS: 10%CPEs: 1EXPL: 1

wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations. wp-includes/functions.php en WordPress anterior a 3.6.1 no determina apropiadamente si los datos han sido serializados lo que permite a usuarios remotos ejecutar codigo arbitrario lanzando operaciones PHP erróneas de deserialización • http://codex.wordpress.org/Version_3.6.1 http://core.trac.wordpress.org/changeset/25325 http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116828.html http://lists.fedoraproject.org/pipermail/package-announce/2013-September/116832.html http://lists.fedoraproject.org/pipermail/package-announce/2013-September/117118.html http://wordpress.org/news/2013/09/wordpress-3-6-1 http://www.debian.org/security/2013/dsa-2757 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •

CVSS: 6.1EPSS: 1%CPEs: 2EXPL: 1

Cross-site scripting (XSS) vulnerability in includes/CatGridPost.php in the Category Grid View Gallery plugin 2.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ID parameter. Vulnerabilidad XSS (Cross-site scripting) en includes/CatGridPost.php en el plugin Category Grid View Gallery v2.3.1 para WordPress permite a atacantes remotos inyectar scripts web arbitrarios o HTML mediante el parámetro ID. The Category Grid View Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘id’ parameter in versions before 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://www.exploit-db.com/exploits/38625 http://exploit.iedb.ir/exploits-177.html http://openwall.com/lists/oss-security/2013/07/11/11 http://osvdb.org/94805 http://packetstormsecurity.com/files/122259/WordPress-Category-Grid-View-Gallery-XSS.html http://seclists.org/bugtraq/2013/Jul/17 http://www.securityfocus.com/bid/60905 https://exchange.xforce.ibmcloud.com/vulnerabilities/85395 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 77EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.2 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) uploads of media files, (2) editing of media files, (3) installation of plugins, (4) updates to plugins, (5) installation of themes, or (6) updates to themes. Múltiples vulnerabilidades de cross-site scripting (XSS) en WordPress anterior a 3.5.2 permite a atacantes remotos inyectar secuencias de comandos web y HTML arbitrarias a través de vectores que involucran (1) subidas de archivos multimedia, (2) la edición de archivos multimedia, (3) instalación de plugins, (4) actualizaciones de plugins, (5) instalación de temas, o (6) cambios a los temas. • http://codex.wordpress.org/Version_3.5.2 http://wordpress.org/news/2013/06/wordpress-3-5-2 http://www.debian.org/security/2013/dsa-2718 https://bugzilla.redhat.com/show_bug.cgi?id=976784 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 77EXPL: 0

WordPress before 3.5.2, when the uploads directory forbids write access, allows remote attackers to obtain sensitive information via an invalid upload request, which reveals the absolute path in an XMLHttpRequest error message. WordPress anterior a v3.5.2, cuando el directorio de archivos prohíbe el acceso de escritura, permite a atacantes remotos obtener información sensible a través de una petición de subida valida, lo que revela la ruta absoluta en un mensaje de error XMLHttpRequest. • http://codex.wordpress.org/Version_3.5.2 http://wordpress.org/news/2013/06/wordpress-3-5-2 http://www.debian.org/security/2013/dsa-2718 https://bugzilla.redhat.com/show_bug.cgi?id=976784 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 5.4EPSS: 0%CPEs: 77EXPL: 0

WordPress before 3.5.2 allows remote attackers to read arbitrary files via an oEmbed XML provider response containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. WordPress anterior a v3.5.2 permite a atacantes remotos leer ficheros de su elección mediante respuesta del proveedor oEmbed XML que contenga una declaración de entidad externa en conjunción con una referencia de entidad, en relación con un fallo en una XML External Entity (XXE). • http://codex.wordpress.org/Version_3.5.2 http://wordpress.org/news/2013/06/wordpress-3-5-2 http://www.debian.org/security/2013/dsa-2718 https://bugzilla.redhat.com/show_bug.cgi?id=976784 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-611: Improper Restriction of XML External Entity Reference •