Page 33 of 165 results (0.009 seconds)

CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 0

Rock Lobster Contact Form 7 before 3.7.2 allows remote attackers to bypass the CAPTCHA protection mechanism and submit arbitrary form data by omitting the _wpcf7_captcha_challenge_captcha-719 parameter. Rock Lobster Contact Form 7 anterior a 3.7.2 permite a los atacantes remotos omitir el mecanismo de protección CAPTCHA y enviar datos de formularios arbitrarios omitiendo el parámetro _wpcf7_captcha_challenge_captcha-719. • http://contactform7.com/2014/02/26/contact-form-7-372 http://web.archive.org/web/20140727133642/http://www.hedgehogsecurity.co.uk/2014/02/26/contactform7-vulnerability http://wordpress.org/plugins/contact-form-7/changelog https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-contact-form-7-security-bypass-3-7-1 https://www.cvedetails.com/cve/CVE-2014-2265 • CWE-264: Permissions, Privileges, and Access Controls CWE-693: Protection Mechanism Failure •

CVSS: 9.8EPSS: 0%CPEs: 68EXPL: 0

SQL injection vulnerability in the WP e-Commerce plugin before 3.8.7.6 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en el plugin WP e-Commerce anterior a v3.8.7.6 para WordPress, permite a atacantes remotos ejecutar comandos SQL de su elección a través de vectores desconocidos • http://secunia.com/advisories/47627 http://wordpress.org/extend/plugins/wp-e-commerce/changelog http://www.securityfocus.com/bid/51637 https://exchange.xforce.ibmcloud.com/vulnerabilities/72622 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions. WordPress hasta la versión 4.8.2 emplea un algoritmo débil de hash de contraseñas basado en MD5, lo que facilita que atacantes determinen valores en texto claro aprovechando el acceso a los valores hash. NOTA: la forma de cambiar esto puede no ser totalmente compatible con ciertos casos de uso, como la migración de un sitio de WordPress desde un host web que emplee una versión reciente de PHP a un host web diferente que emplee PHP 5.2. • https://core.trac.wordpress.org/ticket/21022 • CWE-261: Weak Encoding for Password CWE-326: Inadequate Encryption Strength •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2

Multiple cross-site scripting (XSS) vulnerabilities in the LeagueManager plugin 3.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) group parameter in the show-league page or (2) season parameter in the team page to wp-admin/admin.php. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en el plugin LeagueManager v3.7 para Wordpress que permite a atacantes remotos inyectar código web o html de su elección a través de (1) el parámetro group en la página show-league o (2) parámetro de sesión en la página team para wp-admin/admin.php. • http://packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html http://www.securityfocus.com/bid/53525 https://exchange.xforce.ibmcloud.com/vulnerabilities/75629 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 63EXPL: 1

Cross-site scripting (XSS) vulnerability in wpsc-admin/display-sales-logs.php in WP e-Commerce plugin 3.8.7.1 and possibly earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the custom_text parameter. NOTE: some of these details are obtained from third party information. Vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en wpsc-admin/display-sales-logs.php en el plugin para Wordpress e-Commerce v3.8.7.1 y posiblemente anteriores que permite a atacantes remotos inyectar código web o HTML arbitrario a través del parámetro custom_text. NOTA: algunos de estos detalles son obtenidos de información de terceras partes. • http://osvdb.org/77249 http://plugins.trac.wordpress.org/changeset?reponame=&new=463447%40wp-e-commerce&old=463446%40wp-e-commerce http://secunia.com/advisories/46957 http://wordpress.org/extend/plugins/wp-e-commerce/changelog http://www.securityfocus.com/bid/50757 https://exchange.xforce.ibmcloud.com/vulnerabilities/71443 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •