CVSS: 6.4EPSS: 1%CPEs: 1EXPL: 0CVE-2010-4536 – WordPress Core <= 3.0.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-4536
Multiple cross-site scripting (XSS) vulnerabilities in KSES, as used in WordPress before 3.0.4, allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) the & (ampersand) character, (2) the case of an attribute name, (3) a padded entity, and (4) an entity that is not in normalized form. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en KSES, como las utilizadas en WordPress antes de v3.0.4, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores relacionados con (1) & (carácter ampersand), (2) el caso de un nombre de atributo, (3) una entidad con relleno, y (4) una entidad que no está en forma normalizada. • http://core.trac.wordpress.org/changeset/17172/branches/3.0 http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053289.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053293.html http://secunia.com/advisories/42755 http://secunia.com/advisories/43000 http://wordpress.org/news/2010/12/3-0-4-update http://www.openwall.com/lists/oss-security/2010/12/30/1 http://www.securityfocus.com/bid/45620 http://www.vupen.com/english/advisories/ • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 70EXPL: 1CVE-2010-5106 – WordPress Core < 3.0.3 - Access Control Bypass
https://notcve.org/view.php?id=CVE-2010-5106
The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role. La interfaz de publicación de XML-RPC remoto en xmlrpc.php en WordPress antes de v3.0.3 no realiza correctamente determinadas comprobaciones, lo que permite a usuarios remotos autenticados eludir restricciones de acceso, y publicar, editar o borrar mensajes, al aprovechar el rol de autor o colaborador. • http://codex.wordpress.org/Version_3.0.3 http://core.trac.wordpress.org/changeset/16803 http://openwall.com/lists/oss-security/2012/09/14/10 • CWE-264: Permissions, Privileges, and Access Controls CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2010-4257 – WordPress Core <= 3.0.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2010-4257
SQL injection vulnerability in the do_trackbacks function in wp-includes/comment.php in WordPress before 3.0.2 allows remote authenticated users to execute arbitrary SQL commands via the Send Trackbacks field. Vulnerabilidad de inyección SQL en la función do_trackbacks en wp-includes/comment.php de WordPress anterior a v3.0.2 permite a los usuarios remotos autenticados ejecutar comandos SQL a su elección a través del campo Send Trackbacks. • http://blog.sjinks.pro/wordpress/858-information-disclosure-via-sql-injection-attack http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=605603 http://codex.wordpress.org/Version_3.0.2 http://core.trac.wordpress.org/changeset/16625 http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052879.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052892.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/052917.html http://lists.fedoraproject.org& • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.8EPSS: 0%CPEs: 48EXPL: 2CVE-2010-5293 – WordPress Core < 3.0.2 - Spam Protection Bypass
https://notcve.org/view.php?id=CVE-2010-5293
wp-includes/comment.php in WordPress before 3.0.2 does not properly whitelist trackbacks and pingbacks in the blogroll, which allows remote attackers to bypass intended spam restrictions via a crafted URL, as demonstrated by a URL that triggers a substring match. wp-includes/comment.php en WordPress anterior a la versión 3.0.2 no incluye en lista blanca los trackbacks y pingbacks en el blogroll, lo que permite a atacantes remotos evadir restricciones de SPAM intencionadas mediante una URL manipulada, tal y como se demostró mediante una URL que genera una coincidencia de subcadena. • http://codex.wordpress.org/Version_3.0.2 https://core.trac.wordpress.org/changeset/16637 https://core.trac.wordpress.org/ticket/13887 • CWE-264: Permissions, Privileges, and Access Controls CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.4EPSS: 0%CPEs: 48EXPL: 1CVE-2010-5294 – WordPress Core < 3.0.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2010-5294
Multiple cross-site scripting (XSS) vulnerabilities in the request_filesystem_credentials function in wp-admin/includes/file.php in WordPress before 3.0.2 allow remote servers to inject arbitrary web script or HTML by providing a crafted error message for a (1) FTP or (2) SSH connection attempt. Múltiples vulnerabilidades cross-site scripting (XSS) en la función request_filesystem_credentials en wp-admin/includes/file.php en WordPress anterior a v3.0.2 la cual permite a servidores remotos inyectar script Web o HTML arbitrario proporcionando un mensaje de error manipulado para (1) un FTP o (2) un intento de conexión SSH. • http://codex.wordpress.org/Version_3.0.2 https://core.trac.wordpress.org/changeset/16367 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •