CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2013-2709 – FourSquare Checkins < 1.3 - Cross-Site Request Forgery to Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-2709
Cross-site request forgery (CSRF) vulnerability in the FourSquare Checkins plugin before 1.3 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en el pluging FourSquare Checkins anterior a v1.3 para WordPress, permite a atacantes remotos secuestrar la autenticación de los administradores para las peticiones de secuencias XSS. • http://secunia.com/advisories/53151 http://wordpress.org/extend/plugins/foursquare-checkins/changelog • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 5CVE-2013-3532 – SpiderVPlayer <= 2.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2013-3532
SQL injection vulnerability in settings.php in the Web Dorado Spider Video Player plugin 2.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the theme parameter. Vulnerabilidad de inyección SQL en settings.php del plugin Web Dorado Spider Video Player v2.1 para Drupal permite a atacantes remotos ejecutar comandos SQL de su elección mediante el parámetro "theme". • https://www.exploit-db.com/exploits/38458 http://osvdb.org/92264 http://packetstormsecurity.com/files/121250/WordPress-Spider-Video-Player-2.1-SQL-Injection.html http://packetstormsecurity.com/files/128851/WordPress-HTML5-Flash-Player-SQL-Injection.html http://www.securityfocus.com/bid/59021 http://www.securityfocus.com/bid/70763 https://exchange.xforce.ibmcloud.com/vulnerabilities/83374 https://exchange.xforce.ibmcloud.com/vulnerabilities/98332 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 3CVE-2013-3530 – Spiffy XSPF Player <= 0.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2013-3530
SQL injection vulnerability in playlist.php in the Spiffy XSPF Player plugin 0.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the playlist_id parameter. Vulnerabilidad de inyección SQL en playlist.php del plugin Spiffy XSPF Player v0.1 para WordPress permite a atacantes remotos ejecutar comandos SQL de su elección mediante el parámetro "playlist_id". • https://www.exploit-db.com/exploits/38441 http://osvdb.org/92258 http://packetstormsecurity.com/files/121204/WordPress-Spiffy-XSPF-Player-0.1-SQL-Injection.html http://www.securityfocus.com/bid/58976 https://exchange.xforce.ibmcloud.com/vulnerabilities/83345 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 43EXPL: 3CVE-2013-3526 – Traffic Analyzer < 3.4.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-3526
Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.3.2 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter. Vulnerabilidad Cross-site scripting (XSS) en js/ta_loaded.js.php en el plugin Traffic Analyzer, posiblemente v3.3.2 y anteriores, para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro "aoid". Cross-site scripting (XSS) vulnerability in js/ta_loaded.js.php in the Traffic Analyzer plugin, possibly 3.4.1 and earlier, for WordPress allows remote attackers to inject arbitrary web script or HTML via the aoid parameter. • https://www.exploit-db.com/exploits/38439 http://osvdb.org/92197 http://packetstormsecurity.com/files/121167/WordPress-Traffic-Analyzer-Cross-Site-Scripting.html http://secunia.com/advisories/52929 http://www.securityfocus.com/bid/58948 https://exchange.xforce.ibmcloud.com/vulnerabilities/83311 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 2CVE-2013-1949 – Social Media Widget <= 4.0 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2013-1949
Social Media Widget (social-media-widget) plugin 4.0 for WordPress contains an externally introduced modification (Trojan Horse), which allows remote attackers to force the upload of arbitrary files. Widget Social Media (social-media-Widget) complemento para WordPress v4.0 contiene una modificación introducida externamente (Caballo de Troya), que permite a un atacante remoto forzar la carga de archivos arbitrarios. • http://blog.sucuri.net/2013/04/wordpress-plugin-social-media-widget.html http://it.slashdot.org/story/13/04/13/212226/popular-wordpress-plug-in-caught-spamming-is-put-on-probation http://securityledger.com/hacked-wordpress-plug-in-put-on-double-secret-probation http://www.openwall.com/lists/oss-security/2013/04/14/1 • CWE-434: Unrestricted Upload of File with Dangerous Type •