Page 34 of 282 results (0.012 seconds)

CVSS: 6.4EPSS: 0%CPEs: 76EXPL: 1

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) gallery shortcodes or (2) the content of a post. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en WordPress anteriores a v3.5.1 permite a atacantes remotos a inyectar comandos web o HTML a través de vectores que implican (1) códigos cortos de la galería o (2) contenido de un post. • http://codex.wordpress.org/Version_3.5.1 http://core.trac.wordpress.org/changeset/23317 http://core.trac.wordpress.org/changeset/23322 http://wordpress.org/news/2013/01/wordpress-3-5-1 https://bugzilla.redhat.com/show_bug.cgi?id=904121 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 89EXPL: 1

Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter. Vulnerabilidad de ejecución de comandos en sitios cruzados en Plupload.as en Moxiecode Plupload anteriores a v1.5.5, como el usado en WordPress anteriores a v3.5.1 y otros productos, permiten a atacantes remotos inyectar comandos web o HTML a través del parámetro id. • http://codex.wordpress.org/Version_3.5.1 http://wordpress.org/news/2013/01/wordpress-3-5-1 https://bugzilla.redhat.com/show_bug.cgi?id=904122 https://github.com/moxiecode/plupload/commit/2d746ee9083c184f1234d8fed311e89bdd1b39e5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 1%CPEs: 30EXPL: 2

The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod. El complemento phpMyAdmin Portable antes de v1.3.1 para WordPress permite a atacantes remotos evitar la autenticación y obtener acceso a la consola de phpMyAdmin a través de una solicitud directa al wp-content/plugins/portable-phpmyadmin/wp-pma-mod. The Portable phpMyAdmin plugin before 1.3.0 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod. WordPress portable-phpMyAdmin plugin version 1.3.0 fails to validate the existing session allowing a user to navigate directly to the interface. • https://www.exploit-db.com/exploits/23356 http://archives.neohapsis.com/archives/bugtraq/2012-12/0092.html http://wordpress.org/extend/plugins/portable-phpmyadmin/changelog • CWE-264: Permissions, Privileges, and Access Controls CWE-287: Improper Authentication •

CVSS: 6.1EPSS: 1%CPEs: 23EXPL: 4

Cross-site scripting (XSS) vulnerability in swfupload.swf in SWFUpload 2.2.0.1 and earlier, as used in WordPress before 3.3.2, TinyMCE Image Manager 1.1, and other products, allows remote attackers to inject arbitrary web script or HTML via the movieName parameter, related to the "ExternalInterface.call" function. Vulnerabilidad XSS (cross-site scripting) en swfupload.swf en SWFUpload v2.2.0.10 y anteriores, tal y como se utilizaba en Wordpress anterior a v3.3.2, TinyMCE Image Manager v1.1, y otros productos, permite a atacantes remotos inyectar web scripts arbitrarios o HTML mediante el parámetro movieName, relacionado con la función "ExternalInterface.call" Dotclear, InstantCMS, AionWeb, and Dolphin all include a version of swfupload.swf that suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/37470 http://bot24.blogspot.ca/2013/04/swfupload-object-injectioncsrf.html http://code.google.com/p/swfupload/issues/detail?id=376 http://make.wordpress.org/core/2013/06/21/secure-swfupload http://packetstormsecurity.com/files/122399/TinyMCE-Image-Manager-1.1-Cross-Site-Scripting.html http://www.openwall.com/lists/oss-security/2012/07/16/4 http://www.openwall.com/lists/oss-security/2012/07/17/12 http://www.securityfocus.com/bid/54245 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.1EPSS: 0%CPEs: 17EXPL: 2

Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify the developer name via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, as demonstrated by a developer name containing XSS sequences. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en wlcms-plugin.php en el plugin White Label CMS anteriores a v1.5.1 para WordPress, permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que piden que modifique el nombre del desarrollador a través del parámetro wlcms_o_developer_name en una acción save sobre wp-admin/admin.php, como se demostró por el nombre de desarrollador que contiene secuencias XSS. White Label CMS version 1.5 suffers from cross site request forgery and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/22156 http://osvdb.org/86568 http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html http://wordpress.org/extend/plugins/white-label-cms/changelog http://www.exploit-db.com/exploits/22156 http://www.securityfocus.com/bid/56166 https://exchange.xforce.ibmcloud.com/vulnerabilities/79520 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •