CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 0CVE-2007-3239 – AndyBlue Theme < 1.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-3239
Cross-site scripting (XSS) vulnerability in searchform.php in the AndyBlue theme before 20070607 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to index.php. NOTE: this can be leveraged for PHP code execution in an administrative session. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en searchform.php en el tema AndyBlue versiones anteriores a 20070607 para WordPress permite a atacantes remotos inyectar scripts web o HTML de su elección mediante la porción de un URI, PHP_SELF en idex.php. NOTA. Esto puede ser aprovechado para ejecutar código PHP en una sesión administrativa. Cross-site scripting (XSS) vulnerability in searchform.php in the AndyBlue theme before 1.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PHP_SELF portion of a URI to index.php. • http://osvdb.org/36379 http://secunia.com/advisories/25659 http://securityreason.com/securityalert/2807 http://www.securityfocus.com/archive/1/470837/100/0/threaded http://www.securityfocus.com/bid/24490 http://www.xssnews.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 3CVE-2007-2821 – WordPress Core 2.1.3 - 'admin-ajax.php' SQL Injection Blind Fishing
https://notcve.org/view.php?id=CVE-2007-2821
SQL injection vulnerability in wp-admin/admin-ajax.php in WordPress before 2.2 allows remote attackers to execute arbitrary SQL commands via the cookie parameter. Vulnerabilidad de inyección SQL en wp-admin/admin-ajax.php en WordPress anterior a 2.2 permite a atacantes remotos ejecutar comandos SQL de su elección a través del parámetro cookie. • https://www.exploit-db.com/exploits/3960 http://osvdb.org/36311 http://secunia.com/advisories/25345 http://secunia.com/advisories/29014 http://www.debian.org/security/2008/dsa-1502 http://www.exploit-db.com/exploits/3960 http://www.securityfocus.com/archive/1/469258/100/0/threaded http://www.securityfocus.com/bid/24076 http://www.vupen.com/english/advisories/2007/1889 http://www.waraxe.us/advisory-50.html https://exchange.xforce.ibmcloud.com/vulnerabilities/34399 •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2007-1893 – WordPress Core < 2.1.3 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2007-1893
xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users with the contributor role to bypass intended access restrictions and invoke the publish_posts functionality, which can be used to "publish a previously saved post." xmlrpc (xmlrpc.php) en WordPress versión 2.1.2, y probablemente anteriores, permite a usuarios autenticados remotos con el rol de colaborador omitir las restricciones de acceso previstas e invocar la funcionalidad publish_posts, que puede ser usada para "publish a previously saved post”. • http://secunia.com/advisories/24751 http://secunia.com/advisories/25108 http://trac.wordpress.org/ticket/4091 http://www.debian.org/security/2007/dsa-1285 http://www.notsosecure.com/folder2/2007/04/03/wordpress-212-xmlrpc-security-issues http://www.vupen.com/english/advisories/2007/1245 https://exchange.xforce.ibmcloud.com/vulnerabilities/33470 • CWE-264: Permissions, Privileges, and Access Controls CWE-285: Improper Authorization •
CVSS: 6.4EPSS: 3%CPEs: 12EXPL: 0CVE-2007-1894 – WordPress Core <= 2.1.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-1894
Cross-site scripting (XSS) vulnerability in wp-includes/general-template.php in WordPress before 20070309 allows remote attackers to inject arbitrary web script or HTML via the year parameter in the wp_title function. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en wp-includes/general-template.php de WordPress anterior a 09/03/2007 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través del parámetro year en la función wp_title. • http://chxsecurity.org/advisories/adv-1-mid.txt http://secunia.com/advisories/24485 http://secunia.com/advisories/25108 http://securityreason.com/securityalert/2526 http://trac.wordpress.org/changeset/5003 http://trac.wordpress.org/ticket/4093 http://www.debian.org/security/2007/dsa-1285 http://www.securityfocus.com/archive/1/462374/100/0/threaded http://www.securityfocus.com/bid/22902 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 1%CPEs: 3EXPL: 3CVE-2007-1897 – WordPress Core < 2.1.3 - SQL Injection
https://notcve.org/view.php?id=CVE-2007-1897
SQL injection vulnerability in xmlrpc (xmlrpc.php) in WordPress 2.1.2, and probably earlier, allows remote authenticated users to execute arbitrary SQL commands via a string parameter value in an XML RPC mt.setPostCategories method call, related to the post_id variable. Una vulnerabilidad de inyección SQL en xmlrpc (xmlrpc.php) en WordPress versión 2.1.2, y probablemente anteriores, permite a usuarios autenticados remotos ejecutar comandos SQL arbitrarios por medio de un valor del parámetro string en una llamada RPC XML del método mt.setPostCategories, relacionado con la variable post_id. • https://www.exploit-db.com/exploits/3656 http://secunia.com/advisories/24751 http://secunia.com/advisories/25108 http://trac.wordpress.org/ticket/4091 http://www.debian.org/security/2007/dsa-1285 http://www.notsosecure.com/folder2/2007/04/03/wordpress-212-xmlrpc-security-issues http://www.securityfocus.com/bid/23294 http://www.vupen.com/english/advisories/2007/1245 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •