CVE-2007-3238
https://notcve.org/view.php?id=CVE-2007-3238
Cross-site scripting (XSS) vulnerability in functions.php in the default theme in WordPress 2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the PATH_INFO (REQUEST_URI) to wp-admin/themes.php, a different vulnerability than CVE-2007-1622. NOTE: this might not cross privilege boundaries in some configurations, since the Administrator role has the unfiltered_html capability. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en functions.php en el tema por defecto en WordPress 2.2 permite a administradores validados remotos inyectar secuencias de comandos web o HTML a través de PATH_INFO (REQUEST_URI) en wp-admin/themes.php, un vulnerabilidad diferente que CVE-2007-1622. NOTA: esto no puede cruzar límites del privilegio en algunas configuraciones, puesto que el papel del administrador tiene la capacidad de unfiltered_html. • http://blogsecurity.net/wordpress/news/news-100607-1 http://codex.wordpress.org/Roles_and_Capabilities http://mybeni.rootzilla.de/mybeNi/2007/wordpress_zeroday_vulnerability_roundhouse_kick_and_why_i_nearly_wrote_the_first_blog_worm http://osvdb.org/37293 http://secunia.com/advisories/25541 http://secunia.com/advisories/29014 http://securityreason.com/securityalert/2807 http://www.debian.org/security/2008/dsa-1502 http://www.securityfocus.com/archive/1/470837/100/0/threaded http:// •
CVE-2007-3241 – Cordobo Green Park (All Versions) - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-3241
Cross-site scripting (XSS) vulnerability in blogroll.php in the cordobo-green-park theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en blogroll.php en el tema cordobo-green-park para WordPress permite a atacantes remotos inyectar scripts web o HTML de su elección mediante la porción PHP_SELF de un URI. • http://osvdb.org/36817 http://securityreason.com/securityalert/2807 http://www.securityfocus.com/archive/1/470837/100/0/threaded http://www.xssnews.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2007-3240 – Vistered Little (Unspecified Version) - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-3240
Cross-site scripting (XSS) vulnerability in 404.php in the Vistered-Little theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the URI (REQUEST_URI) that accesses index.php. NOTE: this can be leveraged for PHP code execution in an administrative session. Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en 404.php en el tema Vistered-Little para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del URI(REQUEST_URI) que accede a index.php. NOTA: Esto puede ser aprovechado para ejecutar código PHP en una sesión administrativa. The Vistered Little theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the the URI (REQUEST_URI) that accesses index.php in all known versions due to insufficient input sanitization and output escaping. • http://osvdb.org/37441 http://securityreason.com/securityalert/2807 http://www.securityfocus.com/archive/1/470837/100/0/threaded http://www.xssnews.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2007-3140 – WordPress Core <= 2.2 - SQL Injection
https://notcve.org/view.php?id=CVE-2007-3140
SQL injection vulnerability in xmlrpc.php in WordPress 2.2 allows remote authenticated users to execute arbitrary SQL commands via a parameter value in an XML RPC wp.suggestCategories methodCall, a different vector than CVE-2007-1897. Vulnerabilidad de inyección SQL en xmlrpc.php de WordPress 2.2 permite a usuarios remotos autenticados ejecutar comandos SQL de su elección a través de un valor de parámetro en una llamada de método XML RPC wp.suggestCategories, vector distinto de CVE-2007-1897. • https://www.exploit-db.com/exploits/4039 http://osvdb.org/36321 http://secunia.com/advisories/25552 http://www.openpkg.com/security/advisories/OpenPKG-SA-2007.021.html http://www.securityfocus.com/bid/24344 http://www.vupen.com/english/advisories/2007/2099 https://exchange.xforce.ibmcloud.com/vulnerabilities/34746 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2007-3239 – AndyBlue Theme < 1.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-3239
Cross-site scripting (XSS) vulnerability in searchform.php in the AndyBlue theme before 20070607 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to index.php. NOTE: this can be leveraged for PHP code execution in an administrative session. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en searchform.php en el tema AndyBlue versiones anteriores a 20070607 para WordPress permite a atacantes remotos inyectar scripts web o HTML de su elección mediante la porción de un URI, PHP_SELF en idex.php. NOTA. Esto puede ser aprovechado para ejecutar código PHP en una sesión administrativa. Cross-site scripting (XSS) vulnerability in searchform.php in the AndyBlue theme before 1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to index.php. • http://osvdb.org/36379 http://secunia.com/advisories/25659 http://securityreason.com/securityalert/2807 http://www.securityfocus.com/archive/1/470837/100/0/threaded http://www.securityfocus.com/bid/24490 http://www.xssnews.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •