CVSS: 5.4EPSS: 0%CPEs: 77EXPL: 0CVE-2013-2199 – WordPress Core < 3.5.2 - Server Side Request Forgery
https://notcve.org/view.php?id=CVE-2013-2199
The HTTP API in WordPress before 3.5.2 allows remote attackers to send HTTP requests to intranet servers via unspecified vectors, related to a Server-Side Request Forgery (SSRF) issue, a similar vulnerability to CVE-2013-0235. La HTTP API en WordPress anteriores a v3.5.2 permite a atacantes remotos enviar peticiones HTTP a los servidores de la intranet a través de vectores no especificados, relacionado con peticiones manipuladas del lado del servidor (Server-Side Request Forgery (SSRF)), es similar a CVE-2013-0235. • http://codex.wordpress.org/Version_3.5.2 http://wordpress.org/news/2013/06/wordpress-3-5-2 http://www.debian.org/security/2013/dsa-2718 https://bugzilla.redhat.com/show_bug.cgi?id=976784 • CWE-264: Permissions, Privileges, and Access Controls CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.8EPSS: 0%CPEs: 19EXPL: 0CVE-2013-2707 – Login With Ajax < 3.1 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2013-2707
Cross-site request forgery (CSRF) vulnerability in the Login With Ajax plugin before 3.1 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that modify this plugin's settings. Falsificación de petición en sitios cruzados (CSRF) en el plugin Login With Ajax anterior a v3.1 para WordPress permite a atacantes remotos secuestrar la autenticación de los usuarios arbitrarios de solicitudes que permiten modificar la configuración de este plugin. • http://secunia.com/advisories/52950 http://wordpress.org/extend/plugins/login-with-ajax/changelog • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 5CVE-2013-3532 – SpiderVPlayer <= 2.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2013-3532
SQL injection vulnerability in settings.php in the Web Dorado Spider Video Player plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the theme parameter. Vulnerabilidad de inyección SQL en settings.php del plugin Web Dorado Spider Video Player v2.1 para Drupal permite a atacantes remotos ejecutar comandos SQL de su elección mediante el parámetro "theme". • https://www.exploit-db.com/exploits/38458 http://osvdb.org/92264 http://packetstormsecurity.com/files/121250/WordPress-Spider-Video-Player-2.1-SQL-Injection.html http://packetstormsecurity.com/files/128851/WordPress-HTML5-Flash-Player-SQL-Injection.html http://www.securityfocus.com/bid/59021 http://www.securityfocus.com/bid/70763 https://exchange.xforce.ibmcloud.com/vulnerabilities/83374 https://exchange.xforce.ibmcloud.com/vulnerabilities/98332 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 3%CPEs: 76EXPL: 1CVE-2013-0235 – WordPress Core < 3.5.1 - Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2013-0235
The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue. La API XMLRPC en WordPress anteriores a v3.5.1 permite a a atacantes remotos a enviar peticiones HTTP a servidores de la intranet, y conducir ataques de escaneo de puertos, especificando una URL origen manipulada en la respuesta a un ping, relacionado con una falsificación de petición del lado del servidor (SSRF). • http://codex.wordpress.org/Version_3.5.1 http://core.trac.wordpress.org/changeset/23330 http://wordpress.org/news/2013/01/wordpress-3-5-1 http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=904120 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 0%CPEs: 76EXPL: 1CVE-2013-0236 – WordPress Core < 3.5.1 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-0236
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) gallery shortcodes or (2) the content of a post. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en WordPress anteriores a v3.5.1 permite a atacantes remotos a inyectar comandos web o HTML a través de vectores que implican (1) códigos cortos de la galería o (2) contenido de un post. • http://codex.wordpress.org/Version_3.5.1 http://core.trac.wordpress.org/changeset/23317 http://core.trac.wordpress.org/changeset/23322 http://wordpress.org/news/2013/01/wordpress-3-5-1 https://bugzilla.redhat.com/show_bug.cgi?id=904121 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •