CVSS: 5.8EPSS: 0%CPEs: 48EXPL: 2CVE-2010-5293 – WordPress Core < 3.0.2 - Spam Protection Bypass
https://notcve.org/view.php?id=CVE-2010-5293
wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote attackers to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match. wp-includes/comment.php en WordPress anterior a la versión 3.0.2 no incluye en lista blanca los trackbacks y pingbacks en el blogroll, lo que permite a atacantes remotos evadir restricciones de SPAM intencionadas mediante una URL manipulada, tal y como se demostró mediante una URL que genera una coincidencia de subcadena. • http://codex.wordpress.org/Version_3.0.2 https://core.trac.wordpress.org/changeset/16637 https://core.trac.wordpress.org/ticket/13887 • CWE-264: Permissions, Privileges, and Access Controls CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2010-4630 – WP Survey And Quiz Tool < 1.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-4630
Cross-site scripting (XSS) vulnerability in pages/admin/surveys/create.php in the WP Survey And Quiz Tool plugin 1.2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en pages/admin/surveys/create.php del complemento WP Survey And Quiz Tool 1.2.1 de WordPress. Permite a usuarios remotos inyectar codigo de script web o código HTML de su elección a través del parámetro action. • http://osvdb.org/69074 http://packetstormsecurity.org/1011-exploits/wpsurvey-xss.txt http://secunia.com/advisories/42196 http://www.johnleitch.net/Vulnerabilities/WordPress.Survery.And.Quiz.Tool.1.2.1.Reflected.Cross-site.Scripting/57 https://exchange.xforce.ibmcloud.com/vulnerabilities/63056 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.7EPSS: 0%CPEs: 47EXPL: 2CVE-2010-5297 – WordPress Core < 3.0.1 - Missing Authorization
https://notcve.org/view.php?id=CVE-2010-5297
WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change. WordPress anterior a la versión 3.0.1, cuando se usa una instalación Multisite, conserva permanentemente la opción "los usuarios pueden añadir administradores al sitio" una vez cambiada, lo que podría permitir a administradores remotos autenticados evadir restricciones de acceso intencionadas en circunstancias oportunistas a través de una acción de añadido después de un cambio temporal. • http://codex.wordpress.org/Changelog/3.0.1 http://core.trac.wordpress.org/query?status=closed&group=resolution&order=priority&milestone=3.0.1&resolution=fixed https://core.trac.wordpress.org/changeset/15342 https://core.trac.wordpress.org/ticket/14119 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 1%CPEs: 57EXPL: 4CVE-2010-1186 – WordPress Gallery Plugin – NextGEN Gallery <= 1.5.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-1186
Cross-site scripting (XSS) vulnerability in xml/media-rss.php in the NextGEN Gallery plugin before 1.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the mode parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en xml/media-rss.php del complemento NextGEN Gallery anterior a v1.5.2 para WordPress, permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro "mode". • https://www.exploit-db.com/exploits/12098 http://secunia.com/advisories/39341 http://wordpress.org/extend/plugins/nextgen-gallery/changelog http://www.coresecurity.com/content/nextgen-gallery-xss-vulnerability http://www.exploit-db.com/exploits/12098 http://www.securityfocus.com/bid/39250 http://www.vupen.com/english/advisories/2010/0821 https://exchange.xforce.ibmcloud.com/vulnerabilities/57562 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 16%CPEs: 20EXPL: 3CVE-2009-4168 – WP-Cumulus <= 1.22 - Cross-Site Scripting via tagcloud
https://notcve.org/view.php?id=CVE-2009-4168
Cross-site scripting (XSS) vulnerability in Roy Tanck tagcloud.swf, as used in the WP-Cumulus plugin before 1.23 for WordPress and the Joomulus module 2.0 and earlier for Joomla!, allows remote attackers to inject arbitrary web script or HTML via the tagcloud parameter in a tags action. Cross-site scripting (XSS) vulnerability in tagcloud.swf in the WP-Cumulus Plug-in before 1.23 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tagcloud parameter. Vulnerabilidad de tipo cross-site scripting (XSS) en el archivo tagcloud.swf, tal como es usado en el plugin WP-Cumulus de Roy Tanck anterior a versión 1.23 para WordPress y la versión 2.0 y anterior del módulo Joomulus para Joomla!, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro tagcloud en una acción tags. • https://www.exploit-db.com/exploits/33371 http://packetstormsecurity.org/1001-exploits/joomlajvclouds-xss.txt http://secunia.com/advisories/37483 http://secunia.com/advisories/38161 http://websecurity.com.ua/3665 http://websecurity.com.ua/3789 http://websecurity.com.ua/3801 http://websecurity.com.ua/3839 http://www.roytanck.com/2009/11/15/wp-cumulus-updated-to-address-yet-another-security-issue http://www.securityfocus.com/archive/1/508071/100/0/threaded http://www.securi • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •