CVSS: 7.5EPSS: 29%CPEs: 1EXPL: 2CVE-2019-6715 – W3 Total Cache 0.9.2.6-0.9.3 - File Read / Directory Traversal
https://notcve.org/view.php?id=CVE-2019-6715
pub/sns.php in the W3 Total Cache plugin before 0.9.4 for WordPress allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data. pub/sns.php en el plugin W3 Total Cache, en versiones anteriores a la 0.9.4 para WordPress, permite a los atacantes remotos leer archivos arbitrarios mediante el campo SubscribeURL en los datos JSON "SubscriptionConfirmation The script pub/sns.php in the W3 Total Cache plugin (versions 0.9.2.6 through 0.9.3) allows remote attackers to read arbitrary files via the SubscribeURL field in SubscriptionConfirmation JSON data. • http://packetstormsecurity.com/files/160674/WordPress-W3-Total-Cache-0.9.3-File-Read-Directory-Traversal.html https://vinhjaxt.github.io/2019/03/cve-2019-6715 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2014-8724 – W3 Total Cache <= 0.9.4 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-8724
Cross-site scripting (XSS) vulnerability in the W3 Total Cache plugin before 0.9.4.1 for WordPress, when debug mode is enabled, allows remote attackers to inject arbitrary web script or HTML via the "Cache key" in the HTML-Comments, as demonstrated by the PATH_INFO to the default URI. Vulnerabilidad de XSS en el plugin W3 Total Cache anterior a 0.9.4.1 para WordPress, cuando el modo debug está habilitado, permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de 'Cache key' en HTML-Comments, como se demuesrta en PATH_INFO en la URI por defecto. W3 Total Cache version 0.9.4 suffers from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/129626/W3-Total-Cache-0.9.4-Cross-Site-Scripting.html http://www.securityfocus.com/archive/1/534266/100/0/threaded https://wordpress.org/plugins/w3-total-cache/changelog https://www.secuvera.de/advisories/secuvera-SA-2014-01.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 1%CPEs: 1EXPL: 3CVE-2014-9414 – W3 Total Cache <= 0.9.4 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2014-9414
The W3 Total Cache plugin before 0.9.4.1 for WordPress does not properly handle empty nonces, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and hijack the authentication of administrators for requests that change the mobile site redirect URI via the mobile_groups[*][redirect] parameter and an empty _wpnonce parameter in the w3tc_mobile page to wp-admin/admin.php. El plugin W3 Total Cache anterior a 0.9.4.1 de WordPress no maneja adecuadamente nonces vacíos, lo que permite a atacantes remotos dirigir ataques CSRF y secuestrar la autenticación de administradores para solicitudes de sitio móvil redirigen la URI a través del parámetro mobile_groups[*][redirect] y un parámetro vacío _wpnonce en la página w3tc_mobile a wp-admin/admin.php. • http://mazinahmed1.blogspot.com/2014/12/w3-total-caches-w3totalfail.html http://packetstormsecurity.com/files/129512/W3-Total-Cache-0.9.4-Cross-Site-Request-Forgery.html http://seclists.org/fulldisclosure/2014/Dec/67 http://secunia.com/advisories/61562 http://www.securityfocus.com/archive/1/534250/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/99352 https://github.com/wp-plugins/w3-total-cache/commit/9a1cc9f70558282e135eb3120d271448c75b28dd#diff-86a10b31ab115483fe8111bedac14d15 https://wordpres • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 96%CPEs: 2EXPL: 3CVE-2013-2010 – W3 Total Cache <= 0.9.2.8 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2013-2010
WordPress W3 Total Cache Plugin 0.9.2.8 has a Remote PHP Code Execution Vulnerability WordPress W3 Total Cache Plugin versión 0.9.2.8, presenta una Vulnerabilidad de Ejecución de Código PHP Remota. • https://www.exploit-db.com/exploits/25137 http://packetstormsecurity.com/files/130999/WordPress-W3-Total-Cache-PHP-Code-Execution.html http://www.exploit-db.com/exploits/25137 http://www.openwall.com/lists/oss-security/2013/04/24/9 http://www.securityfocus.com/bid/59316 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •