Page 54 of 326 results (0.009 seconds)

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

Unrestricted file upload vulnerability in WordPress before 2.2.1 and WordPress MU before 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code by making a post that specifies a .php filename in the _wp_attached_file metadata field; and then sending this file's content, along with its post_ID value, to (1) wp-app.php or (2) app.php. Vulnerabilidad de fichero de archivo no restringido en WordPress anterior a 2.2.1 y WordPress MU anterior a 1.2.3 permite a usuarios autenticados remotos subir y ejecutar código PHP de su elección mediante un post en el que se especifica un nombre de fichero .php en el campo de meta datos _wp_attached_file; entonces se envía el contenido del fichero, junto con su valor post_ID, a (1) wp-app.php o (2) app.php. • http://osvdb.org/37295 http://secunia.com/advisories/25794 http://trac.mu.wordpress.org/changeset/1005 http://www.buayacorp.com/files/wordpress/wordpress-advisory.html http://www.securityfocus.com/bid/24642 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php, a different vulnerability than CVE-2007-1622. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en functions.php en el tema por defecto en WordPress 2.2 permite a administradores validados remotos inyectar secuencias de comandos web o HTML a través de PATH_INFO (REQUEST_URI) en wp-admin/themes.php, un vulnerabilidad diferente que CVE-2007-1622. NOTA: esto no puede cruzar límites del privilegio en algunas configuraciones, puesto que el papel del administrador tiene la capacidad de unfiltered_html. • http://blogsecurity.net/wordpress/news/news-100607-1 http://codex.wordpress.org/Roles_and_Capabilities http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm http://osvdb.org/37293 http://secunia.com/advisories/25541 http://secunia.com/advisories/29014 http://securityreason.com/securityalert/2807 http://www.debian.org/security/2008/dsa-1502 http://www.securityfocus.com/archive/1/470837/100/0/threaded http:// •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in blogroll.php in the cordobo-green-park theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en blogroll.php en el tema cordobo-green-park para WordPress permite a atacantes remotos inyectar scripts web o HTML de su elección mediante la porción PHP_SELF de un URI. • http://osvdb.org/36817 http://securityreason.com/securityalert/2807 http://www.securityfocus.com/archive/1/470837/100/0/threaded http://www.xssnews.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Cross-site scripting (XSS) vulnerability in 404.php in the Vistered-Little theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI (REQUEST_URI) that accesses index.php. NOTE: this can be leveraged for PHP code execution in an administrative session. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en 404.php en el tema Vistered-Little para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del URI(REQUEST_URI) que accede a index.php. NOTA: Esto puede ser aprovechado para ejecutar código PHP en una sesión administrativa. The Vistered Little theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the the URI (REQUEST_URI) that accesses index.php in all known versions due to insufficient input sanitization and output escaping. • http://osvdb.org/37441 http://securityreason.com/securityalert/2807 http://www.securityfocus.com/archive/1/470837/100/0/threaded http://www.xssnews.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 9%CPEs: 1EXPL: 1

SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parameter value in an XML RPC wp.suggestCategories methodCall, a different vector than CVE-2007-1897. Vulnerabilidad de inyección SQL en xmlrpc.php de WordPress 2.2 permite a usuarios remotos autenticados ejecutar comandos SQL de su elección a través de un valor de parámetro en una llamada de método XML RPC wp.suggestCategories, vector distinto de CVE-2007-1897. • https://www.exploit-db.com/exploits/4039 http://osvdb.org/36321 http://secunia.com/advisories/25552 http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.021.html http://www.securityfocus.com/bid/24344 http://www.vupen.com/english/advisories/2007/2099 https://exchange.xforce.ibmcloud.com/vulnerabilities/34746 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •