CVSS: 6.4EPSS: 0%CPEs: 76EXPL: 1CVE-2013-0236 – WordPress Core < 3.5.1 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-0236
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) gallery shortcodes or (2) the content of a post. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en WordPress anteriores a v3.5.1 permite a atacantes remotos a inyectar comandos web o HTML a través de vectores que implican (1) códigos cortos de la galería o (2) contenido de un post. • http://codex.wordpress.org/Version_3.5.1 http://core.trac.wordpress.org/changeset/23317 http://core.trac.wordpress.org/changeset/23322 http://wordpress.org/news/2013/01/wordpress-3-5-1 https://bugzilla.redhat.com/show_bug.cgi?id=904121 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 89EXPL: 1CVE-2013-0237 – WordPress Core < 3.5.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-0237
Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter. Vulnerabilidad de ejecución de comandos en sitios cruzados en Plupload.as en Moxiecode Plupload anteriores a v1.5.5, como el usado en WordPress anteriores a v3.5.1 y otros productos, permiten a atacantes remotos inyectar comandos web o HTML a través del parámetro id. • http://codex.wordpress.org/Version_3.5.1 http://wordpress.org/news/2013/01/wordpress-3-5-1 https://bugzilla.redhat.com/show_bug.cgi?id=904122 https://github.com/moxiecode/plupload/commit/2d746ee9083c184f1234d8fed311e89bdd1b39e5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 23EXPL: 4CVE-2012-3414 – SWFUpload <= 2.2.0.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-3414
Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function. Vulnerabilidad XSS (cross-site scripting) en swfupload.swf en SWFUpload v2.2.0.10 y anteriores, tal y como se utilizaba en Wordpress anterior a v3.3.2, TinyMCE Image Manager v1.1, y otros productos, permite a atacantes remotos inyectar web scripts arbitrarios o HTML mediante el parámetro movieName, relacionado con la función "ExternalInterface.call" Dotclear, InstantCMS, AionWeb, and Dolphin all include a version of swfupload.swf that suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/37470 http://bot24.blogspot.ca/2013/04/swfupload-object-injectioncsrf.html http://code.google.com/p/swfupload/issues/detail?id=376 http://make.wordpress.org/core/2013/06/21/secure-swfupload http://packetstormsecurity.com/files/122399/TinyMCE-Image-Manager-1.1-Cross-Site-Scripting.html http://www.openwall.com/lists/oss-security/2012/07/16/4 http://www.openwall.com/lists/oss-security/2012/07/17/12 http://www.securityfocus.com/bid/54245 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 2CVE-2011-5182 – WordPress Plugin Lanoba Social 1.0 - 'action' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-5182
Cross-site scripting (XSS) vulnerability in lanoba-social-plugin/index.php in the Lanoba Social plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter. NOTE: the vendor disputes this issue, stating "Lanoba's plug in does sanitize user input, and because that input is never sent to the browser, an attacker has no way of executing script or code on a user's behalf. ** EN DISPUTA ** Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en lanoba-social-plugin/index.php en el plugin Lanoba Social para WordPress v1.0, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro 'action'. NOTA: El vendendor no esta de acuerdo con este problema, alegando que Lanoba no limpia la entrada del usuario, y debido a que la entrada nunca se envía al navegador, un atacante no tiene manera de ejecutar un script o cualquier tipo de código en nombre de otro usuario". • https://www.exploit-db.com/exploits/36326 http://www.securityfocus.com/archive/1/520574/100/0/threaded http://www.securityfocus.com/archive/1/520678/100/0/threaded http://www.securityfocus.com/bid/50746 https://exchange.xforce.ibmcloud.com/vulnerabilities/71411 https://wordpress.org/support/topic/plugin-lanoba-social-plugin-xss-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.3EPSS: 0%CPEs: 87EXPL: 1CVE-2012-4421 – WordPress Core < 3.4.2 - Missing Authorization Checks on create_post
https://notcve.org/view.php?id=CVE-2012-4421
The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature. La función create_post en wp-includes/class-wp-atom-server.php en WordPress antes de v3.4.2 no realiza determinadas comprobaciones, lo que permite a usuarios remotos autenticados eludir restricciones de acceso y publicar nuevos mensajes aprovechándose del rol de Colaborador y usando el Protocolo de Publicación (Conocido como AtomPub). • http://codex.wordpress.org/Version_3.4.2 http://core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.4.1&old=21780&new_path=%2Ftags%2F3.4.2&new=21780#file2 http://openwall.com/lists/oss-security/2012/09/13/4 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •