Page 47 of 235 results (0.007 seconds)

CVSS: 5.0EPSS: 1%CPEs: 10EXPL: 0

WordPress allows remote attackers to obtain sensitive information via a direct request for wp-admin/admin-functions.php, which reveals the path in an error message. WordPress permite a atacantes remotos obtener información sensible mediante una petición directa al wp-admin/admin-functions.php, que muestra la ruta (path) en un mensaje de error. • http://secunia.com/advisories/24566 http://www.gentoo.org/security/en/glsa/glsa-200703-23.xml http://www.securityfocus.com/archive/1/462230/100/0/threaded http://www.securityfocus.com/archive/1/462249/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/32881 •

CVSS: 6.8EPSS: 5%CPEs: 1EXPL: 2

Cross-site request forgery (CSRF) vulnerability in the AdminPanel in WordPress 2.1.1 and earlier allows remote attackers to perform privileged actions as administrators, as demonstrated using the delete action in wp-admin/post.php. NOTE: this issue can be leveraged to perform cross-site scripting (XSS) attacks and steal cookies via the post parameter. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en el AdminPanel en WordPress 2.1.1 y anteriores permite a atacantes remotos realizar acciones privilegiadas como administradores, como se demostró con el uso de una acción de borrado en wp-admin/post.php. NOTA: este asunto podría estar apalancado en los ataques de secuencias de comandos en sitios cruzados (XSS) y robar cookies a través del parámetro post. • https://www.exploit-db.com/exploits/29682 http://archives.neohapsis.com/archives/fulldisclosure/2007-02/0583.html http://osvdb.org/33787 http://osvdb.org/33788 http://secunia.com/advisories/24566 http://www.gentoo.org/security/en/glsa/glsa-200703-23.xml http://www.securityfocus.com/archive/1/461351/100/0/threaded http://www.securityfocus.com/bid/22735 https://exchange.xforce.ibmcloud.com/vulnerabilities/32703 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.0.5 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to (1) the Quick/Bulk Edit title (aka post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, and (5) escaping of tags within the tags meta box. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en Wordpress en versiones anteriores a v3.0.5, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro (1) Quick/Bulk Edit title (también conocido como post title or post_title), (2) post_status, (3) comment_status, (4) ping_status, y (5)saliendo de tags sin usar tags meta box . • http://codex.wordpress.org/Version_3.0.5 http://core.trac.wordpress.org/changeset/17397 http://core.trac.wordpress.org/changeset/17401 http://core.trac.wordpress.org/changeset/17406 http://core.trac.wordpress.org/changeset/17412 http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056412.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056998.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/057003.html http://openwall.com/lists&#x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 1%CPEs: 1EXPL: 1

WordPress 2.0.11 and earlier allows remote attackers to obtain sensitive information via an empty value of the page parameter to certain PHP scripts under wp-admin/, which reveals the path in various error messages. WordPress 2.0.11 y anteriores permite a atacantes remotos obtener información sensible mediante un valor vacío del parámetro page a ciertas secuencias de comandos PHP bajo wp-admin/, lo cual revela la ruta en varios mensajes de error. • http://lists.grok.org.uk/pipermail/full-disclosure/2008-January/059439.html http://securityreason.com/securityalert/3539 http://securityvulns.ru/Sdocument762.html http://securityvulns.ru/Sdocument768.html http://securityvulns.ru/Sdocument772.html http://securityvulns.ru/Sdocument773.html http://websecurity.com.ua/1679 http://websecurity.com.ua/1683 http://websecurity.com.ua/1686 http://websecurity.com.ua/1687 http://www.securityfocus.com/archive/1/485786/100/0/threaded • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0

WordPress 2.0.6, and 2.1Alpha 3 (SVN:4662), does not properly verify that the m parameter value has the string data type, which allows remote attackers to obtain sensitive information via an invalid m[] parameter, as demonstrated by obtaining the path, and obtaining certain SQL information such as the table prefix. WordPress 2.0.6, y 2.1Alpha 3 (SVN:4662), no verifican apropiadamente que el valor del parámetro m tiene el tipo de datos string, lo cual permite a atacantes remotos obtener información confidencial mediante un parámetro m[] inválido, como se demuestra obteniendo el path, y obteniendo información SQL concreta, como por ejemplo el prefijo de tabla. • http://osvdb.org/33458 http://www.securityfocus.com/archive/1/456731/100/0/threaded • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •