Page 44 of 282 results (0.009 seconds)

CVSS: 6.4EPSS: 0%CPEs: 48EXPL: 1

Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPress before 3.0.2 allow remote servers to inject arbitrary web script or HTML by providing a crafted error message for a (1) FTP or (2) SSH connection attempt. Múltiples vulnerabilidades cross-site scripting (XSS) en la función request_filesystem_credentials en wp-admin/includes/file.php en WordPress anterior a v3.0.2 la cual permite a servidores remotos inyectar script Web o HTML arbitrario proporcionando un mensaje de error manipulado para (1) un FTP o (2) un intento de conexión SSH. • http://codex.wordpress.org/Version_3.0.2 https://core.trac.wordpress.org/changeset/16367 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 23EXPL: 2

The Register Plus plugin 3.5.1 and earlier for WordPress allows remote attackers to obtain sensitive information via a direct request to (1) dash_widget.php and (2) register-plus.php, which reveals the installation path in an error message. El complemento Register Plus 3.5.1 y versiones anteriores de WordPress permite a atacantes remotos obtener información confidencial a través de peticiones directas a (1) dash_widget.php y (2) register-plus.php, lo que revela la ruta de instalación en el mensaje de error. The Register Plus plugin 3.5.11 and earlier for WordPress allows remote attackers to obtain sensitive information via a direct request to (1) dash_widget.php and (2) register-plus.php, which reveals the installation path in an error message. • http://packetstormsecurity.org/files/view/96143/registerplus-xss.txt http://websecurity.com.ua/4539 http://www.securityfocus.com/archive/1/514903/100/0/threaded • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.2EPSS: 0%CPEs: 23EXPL: 2

Multiple cross-site scripting (XSS) vulnerabilities in wp-login.php in the Register Plus plugin 3.5.1 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) firstname, (2) lastname, (3) website, (4) aim, (5) yahoo, (6) jabber, (7) about, (8) pass1, and (9) pass2 parameters in a register action. Multiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en wp-login.php del complemento Register Plus 3.5.1 y versiones anteriores de WordPress. Permiten a usuarios remotos inyectar codigo de script web o código HTML de su elección a través de los parámetros (1) firstname, (2) lastname, (3) website, (4) aim, (5) yahoo, (6) jabber, (7) about, (8) pass1 y (9) pass2 de una acción de registro. Multiple cross-site scripting (XSS) vulnerabilities in wp-login.php in the Register Plus plugin 3.5.11 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) firstname, (2) lastname, (3) website, (4) aim, (5) yahoo, (6) jabber, (7) about, (8) pass1, and (9) pass2 parameters in a register action. • http://osvdb.org/69491 http://packetstormsecurity.org/files/view/96143/registerplus-xss.txt http://secunia.com/advisories/42360 http://websecurity.com.ua/4539 http://www.securityfocus.com/archive/1/514903/100/0/threaded http://www.securityfocus.com/bid/45057 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.7EPSS: 0%CPEs: 47EXPL: 2

WordPress before 3.0.1, when a Multisite installation is used, permanently retains the "site administrators can add users" option once changed, which might allow remote authenticated administrators to bypass intended access restrictions in opportunistic circumstances via an add action after a temporary change. WordPress anterior a la versión 3.0.1, cuando se usa una instalación Multisite, conserva permanentemente la opción "los usuarios pueden añadir administradores al sitio" una vez cambiada, lo que podría permitir a administradores remotos autenticados evadir restricciones de acceso intencionadas en circunstancias oportunistas a través de una acción de añadido después de un cambio temporal. • http://codex.wordpress.org/Changelog/3.0.1 http://core.trac.wordpress.org/query?status=closed&group=resolution&order=priority&milestone=3.0.1&resolution=fixed https://core.trac.wordpress.org/changeset/15342 https://core.trac.wordpress.org/ticket/14119 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 2

SQL injection vulnerability in myLDlinker.php in the myLinksDump Plugin 1.2 for WordPress allows remote attackers to execute arbitrary SQL commands via the url parameter. NOTE: some of these details are obtained from third party information. Vulnerabilidad de inyección SQL en myLDlinker.php del complemento myLinksDump v1.2 de WordPress permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro url. NOTA: algunos de estos detalles han sido obtenidos de información de terceras partes. • https://www.exploit-db.com/exploits/14441 http://osvdb.org/66566 http://secunia.com/advisories/40692 http://www.exploit-db.com/exploits/14441 https://exchange.xforce.ibmcloud.com/vulnerabilities/60591 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •