Page 39 of 265 results (0.003 seconds)

CVSS: 6.3EPSS: 0%CPEs: 6EXPL: 1

CVE-2011-5270 – WordPress Core < 3.0.6 - Incorrect Authorization Checks

https://notcve.org/view.php?id=CVE-2011-5270

wp-admin/press-this.php in WordPress before 3.0.6 does not enforce the publish_posts capability requirement, which allows remote authenticated users to perform publish actions by leveraging the Contributor role. wp-admin/press-this.php en WordPress anterior a la versión 3.0.6 no cumple los requisitos de capacidad publish_posts, lo que permite a usuarios remotos autenticados realizar acciones de publicación mediante el aprovechamiento del rol de Contributor. • http://codex.wordpress.org/Version_3.0.6 https://core.trac.wordpress.org/changeset/17710 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •

CVSS: 6.4EPSS: 0%CPEs: 75EXPL: 0

CVE-2011-4956 – WordPress Core <= 3.1 - Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2011-4956

Cross-site scripting (XSS) vulnerability in WordPress before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en WordPress antes de v3.1.1, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados. • http://secunia.com/advisories/44038 http://secunia.com/advisories/49138 http://wordpress.org/news/2011/04/wordpress-3-1-1 http://www.debian.org/security/2012/dsa-2470 http://www.openwall.com/lists/oss-security/2012/04/19/17 http://www.openwall.com/lists/oss-security/2012/04/19/6 http://www.osvdb.org/72141 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 1%CPEs: 75EXPL: 0

CVE-2011-4957 – WordPress Core < 3.1.1 - Denial of Service

https://notcve.org/view.php?id=CVE-2011-4957

The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls. La función make_clickable en wp-includes/formatting.php en WordPress antes de v3.1.1 no comprueba las URL correctamente antes de pasarlas a la biblioteca PCRE, lo que permite a atacantes remotos provocar una denegación de servicio (caída) a través de un comentario con una URL modificada que lanza muchas llamadas recursivas. • http://core.trac.wordpress.org/ticket/16892 http://secunia.com/advisories/44038 http://secunia.com/advisories/49138 http://wordpress.org/news/2011/04/wordpress-3-1-1 http://www.debian.org/security/2012/dsa-2470 http://www.openwall.com/lists/oss-security/2012/04/19/17 http://www.openwall.com/lists/oss-security/2012/04/19/6 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2011-0701 – WordPress Core < 3.0.5 - Improper Authorization to Information Disclosure

https://notcve.org/view.php?id=CVE-2011-0701

wp-admin/async-upload.php in the media uploader in WordPress before 3.0.5 allows remote authenticated users to read (1) draft posts or (2) private posts via a modified attachment_id parameter. wp-admin/async-upload.php en media uploader en WordPress anterior a v3.0.5 permite a usuarios remotos autenticados leer (1) posts borradores o (2) posts privados a través del parámetro modificado attachment_id. • http://codex.wordpress.org/Version_3.0.5 http://core.trac.wordpress.org/changeset/17393 http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056412.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056998.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/057003.html http://openwall.com/lists/oss-security/2011/02/08/7 http://openwall.com/lists/oss-security/2011/02/09/13 http://secunia.com/advisories/43729 http://www • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization •

CVSS: 5.4EPSS: 0%CPEs: 48EXPL: 1

CVE-2010-5296 – WordPress Core < 3.0.2 - Missing Authorization

https://notcve.org/view.php?id=CVE-2010-5296

wp-includes/capabilities.php in WordPress before 3.0.2, when a Multisite configuration is used, does not require the Super Admin role for the delete_users capability, which allows remote authenticated administrators to bypass intended access restrictions via a delete action. wp-includes/capabilities.php en WordPress anterior a la versión 3.0.2, cuando se usa una configuración Multisite, no requiere el rol Super Admin para la capacidad delete_users, lo que permite a administradores remotos autenticados evadir restricciones de acceso intencionadas a través de una acción de eliminación. • http://codex.wordpress.org/Version_3.0.2 https://core.trac.wordpress.org/changeset/15562 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •