CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-39203 – Private data disclosure/privilege escalation through the block editor in Wordpress
https://notcve.org/view.php?id=CVE-2021-39203
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions authenticated users who don't have permission to view private post types/data can bypass restrictions in the block editor under certain conditions. This affected WordPress 5.8 beta during the testing period. It's fixed in the final 5.8 release. WordPress es un sistema de administración de contenidos gratuito y de código abierto escrito en PHP y emparejado con una base de datos MySQL o MariaDB. • https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-qxvw-qxm9-qvg6 https://hackerone.com/reports/1225282 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2021-39202 – WordPress 5.8 beta: Stored Cross-Site Scripting (XSS) vulnerability in widget
https://notcve.org/view.php?id=CVE-2021-39202
WordPress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. In affected versions the widgets editor introduced in WordPress 5.8 beta 1 has improper handling of HTML input in the Custom HTML feature. This leads to stored XSS in the custom HTML widget. This has been patched in WordPress 5.8. It was only present during the testing/beta phase of WordPress 5.8. • https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-fr6h-3855-j297 https://hackerone.com/reports/1222797 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.0EPSS: 91%CPEs: 6EXPL: 13CVE-2022-21661 – SQL injection in WordPress
https://notcve.org/view.php?id=CVE-2022-21661
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. • https://www.exploit-db.com/exploits/50663 https://github.com/z92g/CVE-2022-21661 https://github.com/0x4E0x650x6F/Wordpress-cve-CVE-2022-21661 https://github.com/safe3s/CVE-2022-21661 https://github.com/purple-WL/wordpress-CVE-2022-21661 https://github.com/guestzz/CVE-2022-21661 https://github.com/TAPESH-TEAM/CVE-2022-21661-WordPress-Core-5.8.2-WP_Query-SQL-Injection https://github.com/WellingtonEspindula/SSI-CVE-2022-21661 https://github.com/sealldeveloper/CVE-2022-21661-PoC& • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •