CVSS: 6.1EPSS: 0%CPEs: 43EXPL: 3CVE-2013-3526 – Traffic Analyzer < 3.4.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-3526
Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter. Vulnerabilidad Cross-site scripting (XSS) en js/ta_loaded.js.php en el plugin Traffic Analyzer, posiblemente v3.3.2 y anteriores, para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro "aoid". Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.4.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter. • https://www.exploit-db.com/exploits/38439 http://osvdb.org/92197 http://packetstormsecurity.com/files/121167/WordPress-Traffic-Analyzer-Cross-Site-Scripting.html http://secunia.com/advisories/52929 http://www.securityfocus.com/bid/58948 https://exchange.xforce.ibmcloud.com/vulnerabilities/83311 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 2CVE-2013-1949 – Social Media Widget <= 4.0 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2013-1949
Social Media Widget (social-media-widget) plugin 4.0 for WordPress contains an externally introduced modification (Trojan Horse), which allows remote attackers to force the upload of arbitrary files. Widget Social Media (social-media-Widget) complemento para WordPress v4.0 contiene una modificación introducida externamente (Caballo de Troya), que permite a un atacante remoto forzar la carga de archivos arbitrarios. • http://blog.sucuri.net/2013/04/wordpress-plugin-social-media-widget.html http://it.slashdot.org/story/13/04/13/212226/popular-wordpress-plug-in-caught-spamming-is-put-on-probation http://securityledger.com/hacked-wordpress-plug-in-put-on-double-secret-probation http://www.openwall.com/lists/oss-security/2013/04/14/1 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 0CVE-2013-2697 – WP-DownloadManager Plugin < 1.61 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-2697
Cross-site request forgery (CSRF) vulnerability in the WP-DownloadManager plugin before 1.61 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. Vulnerabilidad de falsificación de peticiones en sitios cruzados (CSRF) en el complemento WP-DownloadManager antes de v1.61 para Wordress, permite a atacantes remotos secuestrar la autenticación de usuarios de su elección para peticiones que insertan secuencias XSS. • http://secunia.com/advisories/52863 http://wordpress.org/extend/plugins/wp-downloadmanager/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 81EXPL: 2CVE-2013-3720 – Feedweb < 1.9 - Authenticated (Admin+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-3720
Cross-site scripting (XSS) vulnerability in widget_remove.php in the Feedweb plugin before 1.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wp_post_id parameter. Vulnerabilidad de ejecuciónd de secuencias de comandos en sitios cruzados (XSS) en widget_remove.php en el complemento Feedweb anterior a v1.9 para WordPress permite a administradores autenticados a inyectar secuencias de comandos Web o HTML a través del parámetro wp_post_id. The Feedweb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp_post_id' parameter in versions up to 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • http://plugins.trac.wordpress.org/changeset?old_path=%2Ffeedweb&old=689612&new_path=%2Ffeedweb&new=689612 http://secunia.com/advisories/52855 http://wordpress.org/extend/plugins/feedweb/changelog http://www.darksecurity.de/advisories/2013/SSCHADV2013-004.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 2%CPEs: 13EXPL: 4CVE-2013-3529 – WP FuneralPress <= 1.1.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-3529
Multiple cross-site scripting (XSS) vulnerabilities in user/obits.php in the WP FuneralPress plugin before 1.1.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) message, (2) photo-message, or (3) youtube-message parameter. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en user/obits.php del plugin WP FuneralPress versiones anteriores a v1.1.7 para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante los parámetro (1) "message", (2) "photo-message", o (3) "youtube-message". • https://www.exploit-db.com/exploits/24914 http://packetstormsecurity.com/files/121030/WordPress-FuneralPress-1.1.6-Cross-Site-Scripting.html http://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-funeral-press&old=690038&new_path=%2Fwp-funeral-press&new=690038 http://seclists.org/fulldisclosure/2013/Mar/282 http://secunia.com/advisories/52809 http://wordpress.org/extend/plugins/wp-funeral-press/changelog http://www.exploit-db.com/exploits/24914 http://www.securityfocus.com/bid/58790 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •