CVSS: 7.5EPSS: 4%CPEs: 3EXPL: 0CVE-2019-17673 – WordPress Core < 5.2.4 - Cache Poisoning
https://notcve.org/view.php?id=CVE-2019-17673
14 Oct 2019 — WordPress before 5.2.4 is vulnerable to poisoning of the cache of JSON GET requests because certain requests lack a Vary: Origin header. WordPress versiones anteriores a 5.2.4, es vulnerable al envenenamiento de la memoria caché de peticiones JSON GET porque ciertas peticiones carecen de un encabezado Vary: Origin. Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attack... • https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 9.8EPSS: 4%CPEs: 4EXPL: 0CVE-2019-17670 – WordPress Core < 5.2.4 - Server Side Request Forgery #2
https://notcve.org/view.php?id=CVE-2019-17670
14 Oct 2019 — WordPress before 5.2.4 has a Server Side Request Forgery (SSRF) vulnerability because Windows paths are mishandled during certain validation of relative URLs. WordPress versiones anteriores a 5.2.4, presenta una vulnerabilidad de tipo Server Side Request Forgery (SSRF) porque las rutas (paths) de Windows son manejadas inapropiadamente durante cierta comprobación de las URL relativas. • https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 5%CPEs: 3EXPL: 0CVE-2019-17672 – WordPress Core < 5.2.4 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-17672
14 Oct 2019 — WordPress before 5.2.4 is vulnerable to a stored XSS attack to inject JavaScript into STYLE elements. WordPress versiones anteriores a 5.2.4, es vulnerable a un ataque de tipo XSS almacenado para inyectar JavaScript en elementos STYLE. Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create files on the server, disclose private information, create open redirect... • https://blog.wpscan.org/wordpress/security/release/2019/10/15/wordpress-524-security-release-breakdown.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 70%CPEs: 4EXPL: 2CVE-2019-17671 – WordPress Core < 5.2.4 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2019-17671
14 Oct 2019 — In WordPress before 5.2.4, unauthenticated viewing of certain content is possible because the static query property is mishandled. En WordPress anterior a 5.2.4, es posible la visualización no autenticada de cierto contenido porque la propiedad de consulta estática es manejada inapropiadamente. Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create files on th... • https://www.exploit-db.com/exploits/47690 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization •
CVSS: 6.4EPSS: 2%CPEs: 4EXPL: 0CVE-2019-16217 – WordPress Core < 5.2.3 - Cross-Site Scripting via Media Uploads
https://notcve.org/view.php?id=CVE-2019-16217
05 Sep 2019 — WordPress before 5.2.3 allows XSS in media uploads because wp_ajax_upload_attachment is mishandled. WordPress versiones anteriores a 5.2.3, permite un ataque de tipo XSS en cargas multimedia porque wp_ajax_upload_attachment es manejado inapropiadamente. Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create files on the server, disclose private information, cr... • https://core.trac.wordpress.org/changeset/45936 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 2%CPEs: 4EXPL: 1CVE-2019-16222 – WordPress Core < 5.2.3 - Stored Cross-Site Scripting via Comments via URLs
https://notcve.org/view.php?id=CVE-2019-16222
05 Sep 2019 — WordPress before 5.2.3 has an issue with URL sanitization in wp_kses_bad_protocol_once in wp-includes/kses.php that can lead to cross-site scripting (XSS) attacks. WordPress versiones anteriores a 5.2.3, presenta un problema con el saneamiento de la URL en la función wp_kses_bad_protocol_once en el archivo wp-includes/kses.php, lo que puede conllevar a ataques de tipo cross-site scripting (XSS). Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perfo... • https://core.trac.wordpress.org/changeset/45997 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 5%CPEs: 4EXPL: 3CVE-2019-16223 – WordPress Core < 5.2.3 - Authenticated Cross-Site Scripting via Post Previews
https://notcve.org/view.php?id=CVE-2019-16223
05 Sep 2019 — WordPress before 5.2.3 allows XSS in post previews by authenticated users. WordPress versiones anteriores a 5.2.3, permite un ataque de tipo XSS en las vistas previas de publicaciones por parte de usuarios autenticados. Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create files on the server, disclose private information, create open redirects, poison cache,... • https://packetstorm.news/files/id/160745 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 4%CPEs: 4EXPL: 0CVE-2019-16219 – WordPress Core < 5.2.3 - Reflected Cross-Site Scripting via Shortcode Previews
https://notcve.org/view.php?id=CVE-2019-16219
05 Sep 2019 — WordPress before 5.2.3 allows XSS in shortcode previews. WordPress versiones anteriores a 5.2.3, permite un ataque de tipo XSS en las vistas previas de shortcode. Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create files on the server, disclose private information, create open redirects, poison cache, and bypass authorization access and input sanitation. • https://fortiguard.com/zeroday/FG-VD-18-165 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 2%CPEs: 4EXPL: 0CVE-2019-16218 – WordPress Core < 5.2.3 - Stored Cross-Site Scripting via Comments
https://notcve.org/view.php?id=CVE-2019-16218
05 Sep 2019 — WordPress before 5.2.3 allows XSS in stored comments. WordPress versiones anteriores a 5.2.3, permite un ataque de tipo XSS en los comentarios almacenados. Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create files on the server, disclose private information, create open redirects, poison cache, and bypass authorization access and input sanitation. • https://lists.debian.org/debian-lts-announce/2019/10/msg00023.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 4EXPL: 0CVE-2019-16221 – WordPress Core < 5.2.3 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-16221
05 Sep 2019 — WordPress before 5.2.3 allows reflected XSS in the dashboard. WordPress versiones anteriores a 5.2.3, permite un ataque de tipo XSS reflejado en el dashboard. Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create files on the server, disclose private information, create open redirects, poison cache, and bypass authorization access and input sanitation. • https://lists.debian.org/debian-lts-announce/2019/10/msg00023.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •