CVSS: 6.5EPSS: 0%CPEs: 70EXPL: 1CVE-2010-5106 – WordPress Core < 3.0.3 - Access Control Bypass
https://notcve.org/view.php?id=CVE-2010-5106
The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role. La interfaz de publicación de XML-RPC remoto en xmlrpc.php en WordPress antes de v3.0.3 no realiza correctamente determinadas comprobaciones, lo que permite a usuarios remotos autenticados eludir restricciones de acceso, y publicar, editar o borrar mensajes, al aprovechar el rol de autor o colaborador. • http://codex.wordpress.org/Version_3.0.3 http://core.trac.wordpress.org/changeset/16803 http://openwall.com/lists/oss-security/2012/09/14/10 • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2010-4257 – WordPress Core <= 3.0.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2010-4257
SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field. Vulnerabilidad de inyección SQL en la función do_trackbacks en wp-includes/comment.php de WordPress anterior a v3.0.2 permite a los usuarios remotos autenticados ejecutar comandos SQL a su elección a través del campo Send Trackbacks. • http://blog.sjinks.pro/wordpress/858-information-disclosure-via-sql-injection-attack http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605603 http://codex.wordpress.org/Version_3.0.2 http://core.trac.wordpress.org/changeset/16625 http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052879.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052892.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052917.html http://lists.fedoraproject.org& • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 48EXPL: 1CVE-2010-5295 – WordPress Core < 3.0.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-5295
Cross-site scripting (XSS) vulnerability in wp-admin/plugins.php in WordPress before 3.0.2 might allow remote attackers to inject arbitrary web script or HTML via a plugin's author field, which is not properly handled during a Delete Plugin action. Vulnerabilidad de XSS en wp-admin/plugins.php de WordPress anterior a la versión 3.0.2 podría permitir a atacantes remotos inyectar script Web o HTML arbitrario a través del campo de autor del plugin, el cual no es correctamente manejado durante una acción Delete Plugin. • http://codex.wordpress.org/Version_3.0.2 https://core.trac.wordpress.org/changeset/16373 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.8EPSS: 0%CPEs: 48EXPL: 2CVE-2010-5293 – WordPress Core < 3.0.2 - Spam Protection Bypass
https://notcve.org/view.php?id=CVE-2010-5293
wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote attackers to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match. wp-includes/comment.php en WordPress anterior a la versión 3.0.2 no incluye en lista blanca los trackbacks y pingbacks en el blogroll, lo que permite a atacantes remotos evadir restricciones de SPAM intencionadas mediante una URL manipulada, tal y como se demostró mediante una URL que genera una coincidencia de subcadena. • http://codex.wordpress.org/Version_3.0.2 https://core.trac.wordpress.org/changeset/16637 https://core.trac.wordpress.org/ticket/13887 • CWE-264: Permissions, Privileges, and Access Controls CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.4EPSS: 0%CPEs: 48EXPL: 1CVE-2010-5294 – WordPress Core < 3.0.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-5294
Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPress before 3.0.2 allow remote servers to inject arbitrary web script or HTML by providing a crafted error message for a (1) FTP or (2) SSH connection attempt. Múltiples vulnerabilidades cross-site scripting (XSS) en la función request_filesystem_credentials en wp-admin/includes/file.php en WordPress anterior a v3.0.2 la cual permite a servidores remotos inyectar script Web o HTML arbitrario proporcionando un mensaje de error manipulado para (1) un FTP o (2) un intento de conexión SSH. • http://codex.wordpress.org/Version_3.0.2 https://core.trac.wordpress.org/changeset/16367 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •