NotCVE - vendor:"Wordpress" product:"Wordpress" version:" >= 5.5

Page 6 of 30 results (0.005 seconds)

CVSS: 6.4EPSS: 2%CPEs: 6EXPL: 0

CVE-2020-28038 – WordPress Core < 5.5.2 - Stored Cross-Site Scripting via post slugs

https://notcve.org/view.php?id=CVE-2020-28038

WordPress before 5.5.2 allows stored XSS via post slugs. WordPress versiones anteriores a 5.5.2, permite un ataque de tipo XSS almacenado por medio de slugs de publicaciones • https://blog.ripstech.com https://lists.debian.org/debian-lts-announce/2020/11/msg00004.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAVVYJKA2I6CRQUINECDPBGWMQDEG244 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUXVUAKL2HL4QYJEPHBNVQQWRMFMII2Y https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-mainte • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.1EPSS: 0%CPEs: 6EXPL: 0

CVE-2020-28039 – WordPress Core < 5.5.2 - Arbitrary File Deletion

https://notcve.org/view.php?id=CVE-2020-28039

is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected. La función is_protected_meta en el archivo wp-includes/meta.php en WordPress versiones anteriores a 5.5.2, permite la eliminación arbitraria de archivos porque no determina apropiadamente si una clave meta es considerada protegida • https://github.com/WordPress/wordpress-develop/commit/d5ddd6d4be1bc9fd16b7796842e6fb26315705ad https://lists.debian.org/debian-lts-announce/2020/11/msg00004.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAVVYJKA2I6CRQUINECDPBGWMQDEG244 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUXVUAKL2HL4QYJEPHBNVQQWRMFMII2Y https://wordpress.org • CWE-285: Improper Authorization •

CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 0

CVE-2020-28040 – WordPress Core < 5.5.2 - Cross-Site Request Forgery to Theme Image Change

https://notcve.org/view.php?id=CVE-2020-28040

WordPress before 5.5.2 allows CSRF attacks that change a theme's background image. WordPress versiones anteriores a 5.5.2, permite ataques de tipo CSRF que cambian la imagen de fondo del tema • https://blog.wpscan.com/2020/10/30/wordpress-5.5.2-security-release.html https://lists.debian.org/debian-lts-announce/2020/11/msg00004.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CHHVNK2WYAM3ZTCXTFSEIT56IKLVJHU3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAVVYJKA2I6CRQUINECDPBGWMQDEG244 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VUXVUAKL2HL4QYJEPHBNVQQWRMFMII2Y https://wordpress.org&# • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1

CVE-2020-26596 – Elementor Pro <= 3.0.5 - Authenticated Remote Code Execution in Dynamic OOO Widget

https://notcve.org/view.php?id=CVE-2020-26596

The Dynamic OOO widget for the Elementor Pro plugin through 3.0.5 for WordPress allows remote authenticated users to execute arbitrary code because only the Editor role is needed to upload executable PHP code via the PHP Raw snippet. NOTE: this issue can be mitigated by removing the Dynamic OOO widget or by restricting availability of the Editor role. El widget Dynamic OOO para el plugin Elementor Pro versiones hasta 3.0.5 para WordPress, permite a usuarios autenticados remotos ejecutar código arbitrario porque solo se necesita el rol Editor para cargar código PHP ejecutable por medio del fragmento PHP Raw. NOTA: este problema se puede mitigar eliminando el widget Dynamic OOO o restringiendo la disponibilidad del rol Editor • https://elementor.com/pro/changelog https://ww2.compunet.cl/dia-cero-en-plugin-de-wordpres-detectada-compunet-redteam • CWE-269: Improper Privilege Management •

CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0

CVE-2018-19296

https://notcve.org/view.php?id=CVE-2018-19296

PHPMailer before 5.2.27 and 6.x before 6.0.6 is vulnerable to an object injection attack. PHPMailer en versiones anteriores a la 5.2.27 y versiones 6.x anteriores a la 6.0.6 es vulnerable a un ataque de inyección de objetos. • https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.27 https://github.com/PHPMailer/PHPMailer/releases/tag/v6.0.6 https://lists.debian.org/debian-lts-announce/2018/12/msg00020.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT https://www.debian.org/security/2018/dsa-4351 • CWE-502: Deserialization of Untrusted Data CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •

1...4 5 6