CVSS: 7.5EPSS: 3%CPEs: 73EXPL: 4CVE-2011-4899 – WordPress Core 3.3.1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2011-4899
wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important in many realistic environments ** CONTROVERTIDO ** wp-admin/setup-config.php en el componente de instalación de WordPress v3.3.1 y versiones anteriores no garantiza que el servicio de base de datos MySQL especificado sea el apropiado, lo que permite configurar una base de datos de su elección a atacantes remotos a través de los parámetros dbhost y dbname y, posteriormente, realizar una inyección de código estático y ataques de ejecución de comandos en sitios cruzados (XSS) a través de (1) una solicitud HTTP o (2) una consulta MySQL. NOTA: el vendedor se opone a la importancia de esta cuestión, sin embargo, la ejecución de código remoto hace que el problema sea importante en muchos entornos reales. WordPress versions 3.3.1 and below suffer from MySQL username/password disclosure, PHP code execution and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/18417 http://archives.neohapsis.com/archives/bugtraq/2012-01/0150.html http://www.exploit-db.com/exploits/18417 https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt •
CVSS: 4.3EPSS: 0%CPEs: 73EXPL: 4CVE-2012-0782 – WordPress Core 3.3.1 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-0782
Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dbhost, (2) dbname, or (3) uname parameter. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether this specific XSS scenario has security relevance ** CUESTIONADA ** Varias vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en wp-admin/setup-config.php en la instalación de componente en WordPress 3.3.1 y anteriores apermite a atacantes remotos inyectar código HTML o script web a través del parámetro (1)dbhost, (2) dbname, o (3) uname. NOTA: el desarrollador ha disputado la importancia de este vulnerabilidad; no está claro que el escenario XSS específico tenga relevancia de seguridad. WordPress versions 3.3.1 and below suffer from MySQL username/password disclosure, PHP code execution and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/18417 http://archives.neohapsis.com/archives/bugtraq/2012-01/0150.html http://www.exploit-db.com/exploits/18417 https://www.trustwave.com/spiderlabs/advisories/TWSL2012-002.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 1CVE-2012-0287 – WordPress Core <= 3.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-0287
Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via the query string in a POST operation that is not properly handled by the "Duplicate comment detected" feature. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en wp-comments-post.php en WordPress v3.3.x antes de v3.3.1, cuando se utiliza Internet Explorer, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de la query string en una operación POST que no correctamente manejada por la característica "comentario duplicado detectado". • http://oldmanlab.blogspot.com/2012/01/wordpress-33-xss-vulnerability.html http://www.securityfocus.com/bid/51237 http://www.securitytracker.com/id?1026542 https://wordpress.org/news/2012/01/wordpress-3-3-1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2011-3122 – WordPress Core < 3.1.3 - Media Related Security Issue
https://notcve.org/view.php?id=CVE-2011-3122
Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Media security." Vulnerabilidad sin especificar en WordPress 3.1 anteriores a 3.1.3 y 3.2 anteriores a Beta 2 tiene un impacto sin especificar y vectores de ataque relacionados con "Media security". • http://secunia.com/advisories/49138 http://wordpress.org/news/2011/05/wordpress-3-1-3 http://www.debian.org/security/2012/dsa-2470 http://www.securityfocus.com/bid/47995 https://exchange.xforce.ibmcloud.com/vulnerabilities/69175 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2011-3125 – WordPress Core < 3.1.3 - Security Hardening
https://notcve.org/view.php?id=CVE-2011-3125
Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Various security hardening." Vulnerabilidad no especificada en WordPress v3.1 anterior a v3.1.3 y 3.2 anterior a Beta 2 tiene un impacto y vectores de ataque desconocidos relacionados con "Varios robustecimientos de la seguridad". • http://secunia.com/advisories/49138 http://wordpress.org/news/2011/05/wordpress-3-1-3 http://www.debian.org/security/2012/dsa-2470 https://exchange.xforce.ibmcloud.com/vulnerabilities/69174 • CWE-20: Improper Input Validation •