CVSS: 6.3EPSS: 0%CPEs: 87EXPL: 1CVE-2012-4421 – WordPress Core < 3.4.2 - Missing Authorization Checks on create_post
https://notcve.org/view.php?id=CVE-2012-4421
The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature. La función create_post en wp-includes/class-wp-atom-server.php en WordPress antes de v3.4.2 no realiza determinadas comprobaciones, lo que permite a usuarios remotos autenticados eludir restricciones de acceso y publicar nuevos mensajes aprovechándose del rol de Colaborador y usando el Protocolo de Publicación (Conocido como AtomPub). • http://codex.wordpress.org/Version_3.4.2 http://core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.4.1&old=21780&new_path=%2Ftags%2F3.4.2&new=21780#file2 http://openwall.com/lists/oss-security/2012/09/13/4 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 3.8EPSS: 0%CPEs: 88EXPL: 1CVE-2012-4422 – WordPress Core < 3.4.2 - Missing Authorization Checks
https://notcve.org/view.php?id=CVE-2012-4422
wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role. wp-admin/plugins.php en WordPress anterior a v3.4.2, cuando la característica multisitio está activada, no comprueba los privilegios de administrador de red antes de llevar a cabo la activación de red de un plugin instalado, lo cual podría permitir a usuarios remotos autenticados para realizar cambios no deseados del plugin mediante el aprovechamiento de la función de administrador. • http://codex.wordpress.org/Version_3.4.2 http://core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.4.1&old=21780&new_path=%2Ftags%2F3.4.2&new=21780#file42 http://openwall.com/lists/oss-security/2012/09/13/4 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2012-4327 – Image News Slider <= 3.2 - Unspecified Vulnerability
https://notcve.org/view.php?id=CVE-2012-4327
Unspecified vulnerability in the Image News slider plugin before 3.3 for WordPress has unspecified impact and remote attack vectors. Una vulnerabilidad no especificada en el plugin Image News slider para WordPress antes de v3.3 tiene un impacto no especificado y vectores de ataque a distancia. • http://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-image-news-slider&old=529740&new_path=%2Fwp-image-news-slider&new=529740 http://secunia.com/advisories/48747 http://wordpress.org/extend/plugins/wp-image-news-slider/other_notes http://www.securityfocus.com/bid/52977 https://exchange.xforce.ibmcloud.com/vulnerabilities/74788 •
CVSS: 8.8EPSS: 0%CPEs: 85EXPL: 0CVE-2012-3384 – WordPress Core < 3.4.1 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2012-3384
Cross-site request forgery (CSRF) vulnerability in the customizer in WordPress before 3.4.1 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. Una vulnerabilidad de falsificación de peticiones en sitios cruzados(CSRF) en el personalizador de WordPress anterior a v3.4.1 permite a atacantes remotos secuestrar la autenticación de las víctimas no especificadas a través de vectores desconocidos. • http://codex.wordpress.org/Version_3.4.1 http://www.openwall.com/lists/oss-security/2012/07/02/1 http://www.openwall.com/lists/oss-security/2012/07/08/1 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 18EXPL: 0CVE-2012-6635 – WordPress Core <= 3.3.2 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2012-6635
wp-admin/includes/class-wp-posts-list-table.php in WordPress before 3.3.3 does not properly restrict excerpt-view access, which allows remote authenticated users to obtain sensitive information by visiting a draft. wp-admin/includes/class-wp-posts-list-table.php en WordPress anterior a 3.3.3 no restringe adecuadamente el accesso a la vista-resumen (excerpt-view) lo que permite a los usuarios remotos autenticados obtener información sensible al visitar un proyecto. • http://codex.wordpress.org/Version_3.3.3 https://core.trac.wordpress.org/changeset/21086 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •