CVSS: 5.8EPSS: 0%CPEs: 48EXPL: 2CVE-2010-5293 – WordPress Core < 3.0.2 - Spam Protection Bypass
https://notcve.org/view.php?id=CVE-2010-5293
wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote attackers to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match. wp-includes/comment.php en WordPress anterior a la versión 3.0.2 no incluye en lista blanca los trackbacks y pingbacks en el blogroll, lo que permite a atacantes remotos evadir restricciones de SPAM intencionadas mediante una URL manipulada, tal y como se demostró mediante una URL que genera una coincidencia de subcadena. • http://codex.wordpress.org/Version_3.0.2 https://core.trac.wordpress.org/changeset/16637 https://core.trac.wordpress.org/ticket/13887 • CWE-264: Permissions, Privileges, and Access Controls CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.4EPSS: 0%CPEs: 48EXPL: 1CVE-2010-5294 – WordPress Core < 3.0.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-5294
Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPress before 3.0.2 allow remote servers to inject arbitrary web script or HTML by providing a crafted error message for a (1) FTP or (2) SSH connection attempt. Múltiples vulnerabilidades cross-site scripting (XSS) en la función request_filesystem_credentials en wp-admin/includes/file.php en WordPress anterior a v3.0.2 la cual permite a servidores remotos inyectar script Web o HTML arbitrario proporcionando un mensaje de error manipulado para (1) un FTP o (2) un intento de conexión SSH. • http://codex.wordpress.org/Version_3.0.2 https://core.trac.wordpress.org/changeset/16367 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 47EXPL: 2CVE-2010-5297 – WordPress Core < 3.0.1 - Missing Authorization
https://notcve.org/view.php?id=CVE-2010-5297
WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change. WordPress anterior a la versión 3.0.1, cuando se usa una instalación Multisite, conserva permanentemente la opción "los usuarios pueden añadir administradores al sitio" una vez cambiada, lo que podría permitir a administradores remotos autenticados evadir restricciones de acceso intencionadas en circunstancias oportunistas a través de una acción de añadido después de un cambio temporal. • http://codex.wordpress.org/Changelog/3.0.1 http://core.trac.wordpress.org/query?status=closed&group=resolution&order=priority&milestone=3.0.1&resolution=fixed https://core.trac.wordpress.org/changeset/15342 https://core.trac.wordpress.org/ticket/14119 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2011-0700 – WordPress Core <= 3.0.4 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-0700
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, and (5) escaping of tags within the tags meta box. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Wordpress en versiones anteriores a v3.0.5, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro (1) Quick/Bulk Edit title (también conocido como post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, y (5)saliendo de tags sin usar tags meta box . • http://codex.wordpress.org/Version_3.0.5 http://core.trac.wordpress.org/changeset/17397 http://core.trac.wordpress.org/changeset/17401 http://core.trac.wordpress.org/changeset/17406 http://core.trac.wordpress.org/changeset/17412 http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056412.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056998.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/057003.html http://openwall.com/lists&#x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •