CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 2CVE-2013-2742 – BackupBuddy < 3.0 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2013-2742
importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress does not reliably delete itself after completing a restore operation, which makes it easier for remote attackers to obtain access via subsequent requests to this script. importbuddy.php en el plugin de BackupBuddy v1.3.4, v2.1.4, v2.2.25, v2.2.28 y v2.2.4 para WordPress no es fiable queda eliminado tras completar una operación de restauración, lo que hace que sea más fácil para los atacantes remotos obtener acceso a través de las solicitudes posteriores a este script. • http://archives.neohapsis.com/archives/fulldisclosure/2013-03/0205.html http://packetstormsecurity.com/files/120923 • CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 2CVE-2013-2743 – BackupBuddy < 3.0 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2013-2743
importbuddy.php in the BackupBuddy plugin 1.3.4, 2.1.4, 2.2.25, 2.2.28, and 2.2.4 for WordPress allows remote attackers to bypass authentication via a crafted integer in the step parameter. importbuddy.php en el complemento BackupBuddy v1.3.4, v2.1.4, v2.2.25, v2.2.28, y v2.2.4 para WordPress que permite a atacantes remotos evitar autenticaciones a través del parámetro step manipulando el entero. • http://archives.neohapsis.com/archives/fulldisclosure/2013-03/0205.html http://packetstormsecurity.com/files/120923 • CWE-287: Improper Authentication •
CVSS: 6.4EPSS: 1%CPEs: 10EXPL: 1CVE-2013-2640 – MailUp newsletter sign-up form < 1.3.2 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-2640
ajax.functions.php in the MailUp plugin before 1.3.2 for WordPress does not properly restrict access to unspecified Ajax functions, which allows remote attackers to modify plugin settings and conduct cross-site scripting (XSS) attacks via unspecified vectors related to "formData=save" requests, a different version than CVE-2013-0731. ajax.functions.php en el complemento MailUp anterior a v1.3.2 para WordPress no restringe correctamente el acceso a las funciones especificadas Ajax, que permite a atacantes remotos modificar la configuración del complemento y conducir a ataques de cross-site scripting (XSS) a través de vectores no especificados relacionados con "formData=save" las solicitudes, una versión diferente de CVE-2013-0731. • http://osvdb.org/91274 http://plugins.trac.wordpress.org/changeset?new=682420 http://secunia.com/advisories/51917 http://wordpress.org/extend/plugins/wp-mailup/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.1EPSS: 1%CPEs: 11EXPL: 1CVE-2013-0731 – MailUp newsletter sign-up form < 1.3.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-0731
ajax.functions.php in the MailUp plugin before 1.3.3 for WordPress does not properly restrict access to unspecified Ajax functions, which allows remote attackers to modify plugin settings and conduct cross-site scripting (XSS) attacks by setting the wordpress_logged_in cookie. NOTE: this is due to an incomplete fix for a similar issue that was fixed in 1.3.2. ajax.functions.php en el complemento MailUp anterior a v1.3.3 para WordPress no restringe correctamente el acceso a las funciones especificadas Ajax, lo que permite a atacantes remotos modificar la configuración del complemento y realizar cross-site scripting (XSS) mediante el establecimiento de la cookie wordpress_logged_in. NOTA: esto se debe a una corrección incompleta de un problema similar que se fijó en v1.3.2. • http://osvdb.org/91274 http://plugins.trac.wordpress.org/changeset?new=682420 http://secunia.com/advisories/51917 http://wordpress.org/extend/plugins/wp-mailup/changelog http://www.securityfocus.com/bid/58467 https://exchange.xforce.ibmcloud.com/vulnerabilities/82847 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.4EPSS: 8%CPEs: 2EXPL: 3CVE-2013-2501 – Terillion Reviews < 1.2 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-2501
Cross-site scripting (XSS) vulnerability in the Terillion Reviews plugin before 1.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ProfileId field. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en el plugin Terillion Reviews antes de v1.2 para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del campo ProfileID. • https://www.exploit-db.com/exploits/38373 http://archives.neohapsis.com/archives/bugtraq/2013-03/0055.html http://osvdb.org/91123 http://packetstormsecurity.com/files/120730/WordPress-Terillion-Reviews-Cross-Site-Scripting.html http://plugins.trac.wordpress.org/changeset/683838/terillion-reviews http://wordpress.org/extend/plugins/terillion-reviews/changelog http://www.securityfocus.com/bid/58415 https://exchange.xforce.ibmcloud.com/vulnerabilities/82727 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •