CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 2CVE-2013-2741 – BackupBuddy < 3.0 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2013-2741
importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress does not require that authentication be enabled, which allows remote attackers to obtain sensitive information, or overwrite or delete files, via vectors involving a (1) direct request, (2) step=1 request, (3) step=2 or step=3 request, or (4) step=7 request. importbuddy.php en el complemento BackupBuddy v1.3.4, v2.1.4, v2.2.25, v2.2.28, y v2.2.4 para WordPress no requiere autenticación, lo que permite a atacantes remotos obtener información o sobreescribir o borrar ficheros, a través de vectores (1) petición directa, (2) step=1 petición, (3) step=2 o step=3 peticiónt, o (4) step=7 petición. • http://archives.neohapsis.com/archives/fulldisclosure/2013-03/0205.html http://packetstormsecurity.com/files/120923 • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 2CVE-2013-2744 – BackupBuddy <= 2.2.28 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2013-2744
importbuddy.php in the BackupBuddy plugin 2.2.25 for WordPress allows remote attackers to obtain configuration information via a step 0 phpinfo action, which calls the phpinfo function. importbuddy.php en el plugin para WordPress BackupBuddy v2.2.25 permite a atacantes remotos obtener información de configuración a través de una acción "step 0 phpinfo", que llama a la función phpinfo. The BackupBuddy plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.2.28 via a step 0 phpinfo action, which calls the phpinfo function. This can allow remote attackers to extract configuration information. • http://archives.neohapsis.com/archives/fulldisclosure/2013-03/0205.html http://packetstormsecurity.com/files/120923 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 2CVE-2013-2742 – BackupBuddy < 3.0 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2013-2742
importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress does not reliably delete itself after completing a restore operation, which makes it easier for remote attackers to obtain access via subsequent requests to this script. importbuddy.php en el plugin de BackupBuddy v1.3.4, v2.1.4, v2.2.25, v2.2.28 y v2.2.4 para WordPress no es fiable queda eliminado tras completar una operación de restauración, lo que hace que sea más fácil para los atacantes remotos obtener acceso a través de las solicitudes posteriores a este script. • http://archives.neohapsis.com/archives/fulldisclosure/2013-03/0205.html http://packetstormsecurity.com/files/120923 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 2CVE-2013-2743 – BackupBuddy < 3.0 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2013-2743
importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress allows remote attackers to bypass authentication via a crafted integer in the step parameter. importbuddy.php en el complemento BackupBuddy v1.3.4, v2.1.4, v2.2.25, v2.2.28, y v2.2.4 para WordPress que permite a atacantes remotos evitar autenticaciones a través del parámetro step manipulando el entero. • http://archives.neohapsis.com/archives/fulldisclosure/2013-03/0205.html http://packetstormsecurity.com/files/120923 • CWE-287: Improper Authentication •
CVSS: 6.4EPSS: 1%CPEs: 10EXPL: 1CVE-2013-2640 – MailUp newsletter sign-up form < 1.3.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-2640
ajax.functions.php in the MailUp plugin before 1.3.2 for WordPress does not properly restrict access to unspecified Ajax functions, which allows remote attackers to modify plugin settings and conduct cross-site scripting (XSS) attacks via unspecified vectors related to "formData=save" requests, a different version than CVE-2013-0731. ajax.functions.php en el complemento MailUp anterior a v1.3.2 para WordPress no restringe correctamente el acceso a las funciones especificadas Ajax, que permite a atacantes remotos modificar la configuración del complemento y conducir a ataques de cross-site scripting (XSS) a través de vectores no especificados relacionados con "formData=save" las solicitudes, una versión diferente de CVE-2013-0731. • http://osvdb.org/91274 http://plugins.trac.wordpress.org/changeset?new=682420 http://secunia.com/advisories/51917 http://wordpress.org/extend/plugins/wp-mailup/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-264: Permissions, Privileges, and Access Controls •