Page 5 of 167 results (0.005 seconds)

CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0

WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed. WordPress versiones anteriores a 5.5.2, maneja inapropiadamente las inserciones de sitios deshabilitados en una red multisitio, como es demostrado al permitir una inserción de spam • https://lists.debian.org/debian-lts-announce/2020/11/msg00004.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAVVYJKA2I6CRQUINECDPBGWMQDEG244 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUXVUAKL2HL4QYJEPHBNVQQWRMFMII2Y https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release https://www. • CWE-345: Insufficient Verification of Data Authenticity •

CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1

The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role. El widget Dynamic OOO para el plugin Elementor Pro versiones hasta 3.0.5 para WordPress, permite a usuarios autenticados remotos ejecutar código arbitrario porque solo se necesita el rol Editor para cargar código PHP ejecutable por medio del fragmento PHP Raw. NOTA: este problema se puede mitigar eliminando el widget Dynamic OOO o restringiendo la disponibilidad del rol Editor • https://elementor.com/pro/changelog https://ww2.compunet.cl/dia-cero-en-plugin-de-wordpres-detectada-compunet-redteam • CWE-269: Improper Privilege Management •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

In wp-includes/comment-template.php in WordPress before 5.4.2, comments from a post or page could sometimes be seen in the latest comments even if the post or page was not public. En el archivo wp-includes/comment-template.php en WordPress versiones anteriores a 5.4.2, los comentarios de una publicación o página podrían algunas veces ser vistos en los últimos comentarios, inclusive si la publicación o la página no eran públicas • https://core.trac.wordpress.org/changeset/47984 https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0

In affected versions of WordPress, some private posts, which were previously public, can result in unauthenticated disclosure under a specific set of conditions. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). En las versiones afectadas de WordPress, algunas publicaciones privadas, que anteriormente eran públicas, pueden resultar en una divulgación no autenticada bajo un conjunto específico de condiciones. Esto ha sido corregido en la versión 5.4.1, junto con todas las versiones afectadas anteriormente mediante una versión menor (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). • https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-xhx9-759f-6p2w https://lists.debian.org/debian-lts-announce/2020/05/msg00011.html https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates https://www.debian.org/security/2020/dsa-4677 • CWE-284: Improper Access Control CWE-306: Missing Authentication for Critical Function •

CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0

In affected versions of WordPress, a special payload can be crafted that can lead to scripts getting executed within the search block of the block editor. This requires an authenticated user with the ability to add content. This has been patched in version 5.4.1, along with all the previously affected versions via a minor release (5.3.3, 5.2.6, 5.1.5, 5.0.9, 4.9.14, 4.8.13, 4.7.17, 4.6.18, 4.5.21, 4.4.22, 4.3.23, 4.2.27, 4.1.30, 4.0.30, 3.9.31, 3.8.33, 3.7.33). En las versiones afectadas de WordPress, puede ser diseñada una carga útil especial que puede conllevar a que los scripts sean ejecutados dentro del bloque de búsqueda del editor de bloques. Esto requiere un usuario autenticado con la capacidad de agregar contenido. • https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-vccm-6gmc-qhjh https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates https://www.debian.org/security/2020/dsa-4677 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-707: Improper Neutralization •