CVSS: 6.5EPSS: 92%CPEs: 122EXPL: 0CVE-2014-5266 – WordPress Core < 3.9.2 - Denial of Service via XML #2
https://notcve.org/view.php?id=CVE-2014-5266
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, does not limit the number of elements in an XML document, which allows remote attackers to cause a denial of service (CPU consumption) via a large document, a different vulnerability than CVE-2014-5265. La libraría Incutio XML-RPC (IXR) , utilizado en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.x anterior a 7.31, no limita el número de elementos en un documento XML, lo que permite a atacantes remotos causar una denegación de servicio (consumo de CPU) a través de un documento grande, una vulnerabilidad diferente a CVE-2014-5265. Wordpress XMLRPC parsing is vulnerable to a XML based denial of service. This vulnerability affects Wordpress 3.5 - 3.9.2 (3.8.4 and 3.7.4 are also patched). • http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830 http://cgit.drupalcode.org/drupal/diff/modules/openid/xrds.inc?id=1849830 http://www.debian.org/security/2014/dsa-2999 http://www.debian.org/security/2014/dsa-3001 https://core.trac.wordpress.org/changeset/29404 https://wordpress.org/news/2014/08/wordpress-3-9-2 https://www.drupal.org/SA-CORE-2014-004 http://www.breaksec.com/?p=6362 https://mashable.com/archive/wordpress-xml-blowup-dos • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.0EPSS: 43%CPEs: 122EXPL: 0CVE-2014-5265 – WordPress Core < 3.9.2 - Denial of Service via XML
https://notcve.org/view.php?id=CVE-2014-5265
The Incutio XML-RPC (IXR) Library, as used in WordPress before 3.9.2 and Drupal 6.x before 6.33 and 7.x before 7.31, permits entity declarations without considering recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. La librería Incutio XML-RPC (IXR), utilizada en WordPress anterior a 3.9.2 y Drupal 6.x anterior a 6.33 y 7.x anterior a 7.31, permite declaraciones de entidad sin considerar la recursión durante la expansión de la entidad, lo que permite a atacantes remotos causar una denegación de servicios (consumo de memoria y CPU) a través de un documento XML manipulado que contiene un número grande de referencias de entidad anidadas, un problema similar al CVE-2003-1564. • http://cgit.drupalcode.org/drupal/diff/includes/xmlrpc.inc?id=1849830 http://www.debian.org/security/2014/dsa-2999 http://www.debian.org/security/2014/dsa-3001 https://core.trac.wordpress.org/changeset/29404 https://wordpress.org/news/2014/08/wordpress-3-9-2 https://www.drupal.org/SA-CORE-2014-004 • CWE-399: Resource Management Errors CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2014-8363 – WordPress Spreadsheet <= 0.62 - SQL Injection
https://notcve.org/view.php?id=CVE-2014-8363
SQL injection vulnerability in ss_handler.php in the WordPress Spreadsheet (wpSS) plugin 0.62 for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter. Vulnerabilidad de inyección SQL en ss_handler.php en el plugin WordPress Spreadsheet (wpSS) 0.62 para WordPress permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro ss_id. • http://packetstormsecurity.com/files/127771/WordPress-WPSS-0.62-SQL-Injection.html http://www.securityfocus.com/bid/69089 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 2%CPEs: 16EXPL: 1CVE-2014-5337 – WordPress Mobile Pack – Mobile Plugin for Progressive Web Apps & Hybrid Mobile Apps < 2.0.2 - Information Disclosure
https://notcve.org/view.php?id=CVE-2014-5337
The WordPress Mobile Pack plugin before 2.0.2 for WordPress does not properly restrict access to password protected posts, which allows remote attackers to obtain sensitive information via an exportarticles action to export/content.php. El plugin WordPress Mobile Pack anterior a 2.0.2 para WordPress no restringe debidamente el acceso a los puesto protegidos por contraseña, lo que permite a atacantes remotos obtener información sensible a través de una acción exportarticles en export/content.php. • http://secunia.com/advisories/60584 http://wordpress.org/plugins/wordpress-mobile-pack/changelog http://www.securityfocus.com/bid/69292 https://security.dxw.com/advisories/information-disclosure-vulnerability-in-wordpress-mobile-pack-allows-anybody-to-read-password-protected-posts • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 2CVE-2014-4603 – Yahoo Updates For WordPress <= 1.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-4603
Multiple cross-site scripting (XSS) vulnerabilities in yupdates_application.php in the Yahoo! Updates for WordPress plugin 1.0 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) secret, (2) key, or (3) appid parameter. Múltiples vulnerabilidades de XSS en yupdates_application.php en el plugin Yahoo! Updates for WordPress 1.0 y anteriores para WordPress permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro (1) secret, (2) key, o (3) appid. • http://codevigilant.com/disclosure/wp-plugin-yahoo-updates-for-wordpress-a3-cross-site-scripting-xss http://www.securityfocus.com/bid/68401 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •