CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1CVE-2014-4529 – Flash Photo Gallery <= 0.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2014-4529
Cross-site scripting (XSS) vulnerability in fpg_preview.php in the Flash Photo Gallery plugin 0.7 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the path parameter. Vulnerabilidad de XSS en fpg_preview.php en el plugin Flash Photo Gallery 0.7 y anteriores para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro path. • http://codevigilant.com/disclosure/wp-plugin-flash-photo-gallery-a3-cross-site-scripting-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2013-2706 – Stream Video Player <= 1.4.1 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2013-2706
Cross-site request forgery (CSRF) vulnerability in the Stream Video Player plugin 1.4.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. Vulnerabilidad de CSRF en el plugin Stream Video Player 1.4.0 para WordPress permite a atacantes remotos secuestrar la autenticación de administradores para solicitudes que cambian configuraciones de plugins a través de vectores no especificados. Cross-site request forgery (CSRF) vulnerability in the Stream Video Player plugin 1.4.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. • http://osvdb.org/94466 http://secunia.com/advisories/52954 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 1%CPEs: 98EXPL: 1CVE-2014-0166 – WordPress Core < 3.8.2 - Authentication Cookie Forgery
https://notcve.org/view.php?id=CVE-2014-0166
The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. La función wp_validate_auth_cookie en wp-includes/pluggable.php en WordPress anterior a 3.7.2 y 3.8.x anterior a 3.8.2 no determina debidamente la validez de cookies de autenticación, lo que facilita a atacantes remotos obtener acceso a través de una cookie falsificada. • https://github.com/Ettack/POC-CVE-2014-0166 http://codex.wordpress.org/Version_3.7.2 http://codex.wordpress.org/Version_3.8.2 http://core.trac.wordpress.org/changeset/28054 http://www.debian.org/security/2014/dsa-2901 https://bugzilla.redhat.com/show_bug.cgi?id=1085858 • CWE-287: Improper Authentication •
CVSS: 4.3EPSS: 0%CPEs: 98EXPL: 0CVE-2014-0165 – WordPress Core < 3.8.2 - Contributor Users Can Publish Posts
https://notcve.org/view.php?id=CVE-2014-0165
WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. WordPress anterior a 3.7.2 y 3.8.x anterior a 3.8.2 permite a usuarios remotos autenticados publicar mensajes mediante el aprovechamiento del rol de Colaborador, relacionado con wp-admin/includes/post.php y wp-admin/includes/class-wp-posts-list-table.php. • http://codex.wordpress.org/Version_3.7.2 http://codex.wordpress.org/Version_3.8.2 http://core.trac.wordpress.org/changeset/27976 http://www.debian.org/security/2014/dsa-2901 https://bugzilla.redhat.com/show_bug.cgi?id=1085866 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •
CVSS: 6.1EPSS: 0%CPEs: 37EXPL: 0CVE-2013-3487 – BulletProof Security <= .48.9 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-3487
Multiple cross-site scripting (XSS) vulnerabilities in the security log in the BulletProof Security plugin before .49 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified HTML header fields to (1) 400.php, (2) 403.php, or (3) 403.php. Múltiples vulnerabilidades de XSS en el registro log de seguridad en el plugin BulletProof Security anterior a .49 para WordPress permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través de campos de cabecera HTML no especificados hacia (1) 400.php, (2) 403.php o (3) 403.php. • http://osvdb.org/95928 http://osvdb.org/95929 http://osvdb.org/95930 http://secunia.com/advisories/53614 http://wordpress.org/plugins/bulletproof-security/changelog http://www.securityfocus.com/bid/61583 https://exchange.xforce.ibmcloud.com/vulnerabilities/86160 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •