CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 0CVE-2013-2697 – WP-DownloadManager Plugin < 1.61 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-2697
Cross-site request forgery (CSRF) vulnerability in the WP-DownloadManager plugin before 1.61 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. Vulnerabilidad de falsificación de peticiones en sitios cruzados (CSRF) en el complemento WP-DownloadManager antes de v1.61 para Wordress, permite a atacantes remotos secuestrar la autenticación de usuarios de su elección para peticiones que insertan secuencias XSS. • http://secunia.com/advisories/52863 http://wordpress.org/extend/plugins/wp-downloadmanager/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 81EXPL: 2CVE-2013-3720 – Feedweb < 1.9 - Authenticated (Admin+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-3720
Cross-site scripting (XSS) vulnerability in widget_remove.php in the Feedweb plugin before 1.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wp_post_id parameter. Vulnerabilidad de ejecuciónd de secuencias de comandos en sitios cruzados (XSS) en widget_remove.php en el complemento Feedweb anterior a v1.9 para WordPress permite a administradores autenticados a inyectar secuencias de comandos Web o HTML a través del parámetro wp_post_id. The Feedweb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wp_post_id' parameter in versions up to 1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrative privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. • http://plugins.trac.wordpress.org/changeset?old_path=%2Ffeedweb&old=689612&new_path=%2Ffeedweb&new=689612 http://secunia.com/advisories/52855 http://wordpress.org/extend/plugins/feedweb/changelog http://www.darksecurity.de/advisories/2013/SSCHADV2013-004.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 2%CPEs: 13EXPL: 4CVE-2013-3529 – WP FuneralPress <= 1.1.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-3529
Multiple cross-site scripting (XSS) vulnerabilities in user/obits.php in the WP FuneralPress plugin before 1.1.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) message, (2) photo-message, or (3) youtube-message parameter. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en user/obits.php del plugin WP FuneralPress versiones anteriores a v1.1.7 para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML mediante los parámetro (1) "message", (2) "photo-message", o (3) "youtube-message". • https://www.exploit-db.com/exploits/24914 http://packetstormsecurity.com/files/121030/WordPress-FuneralPress-1.1.6-Cross-Site-Scripting.html http://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-funeral-press&old=690038&new_path=%2Fwp-funeral-press&new=690038 http://seclists.org/fulldisclosure/2013/Mar/282 http://secunia.com/advisories/52809 http://wordpress.org/extend/plugins/wp-funeral-press/changelog http://www.exploit-db.com/exploits/24914 http://www.securityfocus.com/bid/58790 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 2CVE-2013-2741 – BackupBuddy < 3.0 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2013-2741
importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress does not require that authentication be enabled, which allows remote attackers to obtain sensitive information, or overwrite or delete files, via vectors involving a (1) direct request, (2) step=1 request, (3) step=2 or step=3 request, or (4) step=7 request. importbuddy.php en el complemento BackupBuddy v1.3.4, v2.1.4, v2.2.25, v2.2.28, y v2.2.4 para WordPress no requiere autenticación, lo que permite a atacantes remotos obtener información o sobreescribir o borrar ficheros, a través de vectores (1) petición directa, (2) step=1 petición, (3) step=2 o step=3 peticiónt, o (4) step=7 petición. • http://archives.neohapsis.com/archives/fulldisclosure/2013-03/0205.html http://packetstormsecurity.com/files/120923 • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 2CVE-2013-2744 – BackupBuddy <= 2.2.28 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2013-2744
importbuddy.php in the BackupBuddy plugin 2.2.25 for WordPress allows remote attackers to obtain configuration information via a step 0 phpinfo action, which calls the phpinfo function. importbuddy.php en el plugin para WordPress BackupBuddy v2.2.25 permite a atacantes remotos obtener información de configuración a través de una acción "step 0 phpinfo", que llama a la función phpinfo. The BackupBuddy plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.2.28 via a step 0 phpinfo action, which calls the phpinfo function. This can allow remote attackers to extract configuration information. • http://archives.neohapsis.com/archives/fulldisclosure/2013-03/0205.html http://packetstormsecurity.com/files/120923 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •