CVE-2011-3126 – WordPress Core < 3.1.3 - Username Enumeration
https://notcve.org/view.php?id=CVE-2011-3126
WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 allows remote attackers to determine usernames of non-authors via canonical redirects. WordPress 3.1 anteriores a 3.1.3 y 3.2 anteriores a Beta 2 permite a atacantes remotos determinar nombres de usuario de no-autores a través de redirecciones "canonical". • http://secunia.com/advisories/49138 http://wordpress.org/news/2011/05/wordpress-3-1-3 http://www.debian.org/security/2012/dsa-2470 http://www.securityfocus.com/bid/47995 https://exchange.xforce.ibmcloud.com/vulnerabilities/69173 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-204: Observable Response Discrepancy •
CVE-2011-3129 – WordPress Core <= 3.1.2 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2011-3129
The file upload functionality in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2, when running "on hosts with dangerous security settings," has unknown impact and attack vectors, possibly related to dangerous filenames. La funcionalidad de subida de archivo en WordPress 3.1 en versiones anteriores a 3.1.3 y 3.2 en versiones anteriores a Beta 2, cuando se ejecuta "en hosts con ajustes de seguridad peligrosos", tiene un impacto y vectores de ataque desconocidos, posiblemente relacionado con nombres de archivos peligrosos. • http://secunia.com/advisories/49138 http://wordpress.org/news/2011/05/wordpress-3-1-3 http://www.debian.org/security/2012/dsa-2470 http://www.securityfocus.com/bid/47995 • CWE-264: Permissions, Privileges, and Access Controls CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2011-3127 – WordPress Core < 3.1.3 - Clickjacking
https://notcve.org/view.php?id=CVE-2011-3127
WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 does not prevent rendering for (1) admin or (2) login pages inside a frame in a third-party HTML document, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. WordPress v3.1 anterior a 3.1.3 y v3.2 anterior a Beta 2, no previene adecuadamente el renderizado de las páginas (1) admin o (2) login dentro de un marco en un documento HTML de terceras partes, esto facilita a los atacantes remotos realizar ataques de clickjacking a través de un sitio web manipulado. • http://secunia.com/advisories/49138 http://wordpress.org/news/2011/05/wordpress-3-1-3 http://www.debian.org/security/2012/dsa-2470 http://www.securityfocus.com/bid/47995 https://exchange.xforce.ibmcloud.com/vulnerabilities/69172 • CWE-20: Improper Input Validation CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVE-2011-3125 – WordPress Core < 3.1.3 - Security Hardening
https://notcve.org/view.php?id=CVE-2011-3125
Unspecified vulnerability in WordPress 3.1 before 3.1.3 and 3.2 before Beta 2 has unknown impact and attack vectors related to "Various security hardening." Vulnerabilidad no especificada en WordPress v3.1 anterior a v3.1.3 y 3.2 anterior a Beta 2 tiene un impacto y vectores de ataque desconocidos relacionados con "Varios robustecimientos de la seguridad". • http://secunia.com/advisories/49138 http://wordpress.org/news/2011/05/wordpress-3-1-3 http://www.debian.org/security/2012/dsa-2470 https://exchange.xforce.ibmcloud.com/vulnerabilities/69174 • CWE-20: Improper Input Validation •
CVE-2011-5270 – WordPress Core < 3.0.6 - Incorrect Authorization Checks
https://notcve.org/view.php?id=CVE-2011-5270
wp-admin/press-this.php in WordPress before 3.0.6 does not enforce the publish_posts capability requirement, which allows remote authenticated users to perform publish actions by leveraging the Contributor role. wp-admin/press-this.php en WordPress anterior a la versión 3.0.6 no cumple los requisitos de capacidad publish_posts, lo que permite a usuarios remotos autenticados realizar acciones de publicación mediante el aprovechamiento del rol de Contributor. • http://codex.wordpress.org/Version_3.0.6 https://core.trac.wordpress.org/changeset/17710 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •