CVE-2011-5192 – Pretty Link Lite < 1.5.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-5192
Cross-site scripting (XSS) vulnerability in pretty-bar.php in Pretty Link Lite plugin before 1.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the slug parameter, a different vulnerability than CVE-2011-5191. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en pretty-Bar.php en el plugin para WordPress Pretty Link Lite antes de v1.5.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro slug. Se trata de una vulnerabilidad diferente a CVE-2011-5191a • http://plugins.trac.wordpress.org/changeset/485819/pretty-link http://secunia.com/advisories/47456 http://wordpress.org/extend/plugins/pretty-link/changelog http://www.securityfocus.com/bid/51306 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-3860 – Cover WP <= 1.6.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-3860
Cross-site scripting (XSS) vulnerability in the Cover WP theme before 1.6.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter. vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el tema Cover WP anteriores a v1.6.6 para WordPress, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro s. • https://www.exploit-db.com/exploits/36183 http://www.securityfocus.com/bid/50334 https://sitewat.ch/en/Advisories/18 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2011-5270 – WordPress Core < 3.0.6 - Incorrect Authorization Checks
https://notcve.org/view.php?id=CVE-2011-5270
wp-admin/press-this.php in WordPress before 3.0.6 does not enforce the publish_posts capability requirement, which allows remote authenticated users to perform publish actions by leveraging the Contributor role. wp-admin/press-this.php en WordPress anterior a la versión 3.0.6 no cumple los requisitos de capacidad publish_posts, lo que permite a usuarios remotos autenticados realizar acciones de publicación mediante el aprovechamiento del rol de Contributor. • http://codex.wordpress.org/Version_3.0.6 https://core.trac.wordpress.org/changeset/17710 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •
CVE-2011-1762 – WordPress Core < 3.1.2 - Incorrect Authorization for Contributor-level users
https://notcve.org/view.php?id=CVE-2011-1762
A flaw exists in Wordpress related to the 'wp-admin/press-this.php 'script improperly checking user permissions when publishing posts. This may allow a user with 'Contributor-level' privileges to post as if they had 'publish_posts' permission. Se presenta un fallo en Wordpress relacionado con el script "wp-admin/press-this.php" que comprueba incorrectamente los permisos de usuario cuando son publicados posts. Esto puede permitir que un usuario con privilegios de tipo "Contributor-level" publique como si tuviera permiso "publish_posts" • https://wordpress.org/support/wordpress-version/version-3-1-2 • CWE-276: Incorrect Default Permissions CWE-284: Improper Access Control •
CVE-2011-4957 – WordPress Core < 3.1.1 - Denial of Service
https://notcve.org/view.php?id=CVE-2011-4957
The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls. La función make_clickable en wp-includes/formatting.php en WordPress antes de v3.1.1 no comprueba las URL correctamente antes de pasarlas a la biblioteca PCRE, lo que permite a atacantes remotos provocar una denegación de servicio (caída) a través de un comentario con una URL modificada que lanza muchas llamadas recursivas. • http://core.trac.wordpress.org/ticket/16892 http://secunia.com/advisories/44038 http://secunia.com/advisories/49138 http://wordpress.org/news/2011/04/wordpress-3-1-1 http://www.debian.org/security/2012/dsa-2470 http://www.openwall.com/lists/oss-security/2012/04/19/17 http://www.openwall.com/lists/oss-security/2012/04/19/6 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption •