CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2017-17092 – WordPress Core < 4.9.1 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-17092
29 Nov 2017 — wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file. wp-includes/functions.php en WordPress en versiones anteriores a la 4.9.1 no necesita la capacidad de unfiltered_html para subir archivos .js, lo que puede permitir que los atacantes remotos realicen ataques Cross-Site Scripting (XSS) mediante un archivo manipulado. Several vulnerabilities were discovered in... • http://www.securityfocus.com/bid/102024 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2017-17093 – WordPress Core < 4.9.1- Stored Cross-Site Scripting via Language
https://notcve.org/view.php?id=CVE-2017-17093
29 Nov 2017 — wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site. wp-includes/general-template.php en WordPress en versiones anteriores a la 4.9.1 no restringe correctamente el atributo lang de un elemento HTML, lo que puede permitir que los atacantes realicen ataques Cross-Site Scripting (XSS) mediante la configuración de idioma de un sitio web. Several vulnerabi... • http://www.securityfocus.com/bid/102024 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2017-17094 – WordPress Core < 4.9.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-17094
29 Nov 2017 — wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. wp-includes/feed.php en WordPress en versiones anteriores a la 4.9.1 no restringe contenedores en los campos RSS y Atom, lo que puede permitir que los atacantes realicen ataques Cross-Site Scripting (XSS) mediante una URL manipulada. Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote atta... • http://www.securityfocus.com/bid/102024 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16510 – WordPress Core < 4.8.3 - SQL Injection due to Double Prepare approach
https://notcve.org/view.php?id=CVE-2017-16510
31 Oct 2017 — WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723. WordPress en versiones anteriores a la 4.8.3 se ve afectado por un problema en el que $wpdb->prepare() puede crear consultas inseguras e inesperadas que podrían provocar una inyección SQL (SQLi) en plugins y temas, tal y como se ve en el enf... • http://www.securityfocus.com/bid/101638 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.7EPSS: 0%CPEs: 1EXPL: 0CVE-2016-9263 – WordPress Core < 4.9.1 - Cross-domain Flash injection
https://notcve.org/view.php?id=CVE-2016-9263
10 Oct 2017 — WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file. WordPress hasta la versión 4.8.2, cuando no se utiliza el sandboxing flashmediaelement.swf basado en dominios, permite que atacantes remotos realicen ataques de inyección de código Flash en dominios cruzados (XSF) usando código contenido en el archi... • http://www.securityfocus.com/bid/101294 • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14721 – WordPress Core < 4.8.2 - Stored Cross-Site Scripting via Plugin Names
https://notcve.org/view.php?id=CVE-2017-14721
19 Sep 2017 — Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. Antes de la versión 4.8.2, WordPress permitía un ataque de Cross-Site Scripting (XSS) en el editor de plugins mediante un nombre de plugin modificado. • http://www.securityfocus.com/bid/100912 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14720 – WordPress Core < 4.8.2 - Cross-Site Scripting via Template Name
https://notcve.org/view.php?id=CVE-2017-14720
19 Sep 2017 — Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. Antes de la versión 4.8.2, WordPress permitía un ataque de Cross-Site Scripting (XSS) en la vista de plantilla de lista mediante un nombre de plantilla modificado. • http://www.securityfocus.com/bid/100912 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14718 – WordPress Core < 4.8.2 - Cross-Site Scripting via Javascript: and Data: URLs
https://notcve.org/view.php?id=CVE-2017-14718
19 Sep 2017 — Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. Antes de la versión 4.8.2, WordPress era susceptible a un ataque de Cross-Site Scripting (XSS) en el modal de enlace mediante una URL javascript: o data:. • http://www.securityfocus.com/bid/100912 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 202EXPL: 1CVE-2017-14719 – WordPress Core < 4.8.2 - Directory Traversal during unzip
https://notcve.org/view.php?id=CVE-2017-14719
19 Sep 2017 — Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. Antes de la versión 4.8.2, WordPress era susceptible a un ataque de salto de directorio durante operaciones de descompresión en los componentes ZipArchive y PclZip. • https://github.com/PalmTreeForest/CodePath_Week_7-8 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-14724 – WordPress Core < 4.8.2 - Cross-Site Scripting in oEmbed
https://notcve.org/view.php?id=CVE-2017-14724
19 Sep 2017 — Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. Antes de la versión 4.8.2, WordPress era vulnerable a Cross-Site Scripting (XSS) en oEmbed Discovery. • http://www.securityfocus.com/bid/100912 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •