CVSS: 7.2EPSS: 0%CPEs: 45EXPL: 0CVE-2013-0734 – Mingle Forum <= 1.0.33.3 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-0734
Multiple cross-site scripting (XSS) vulnerabilities in the Mingle Forum plugin before 1.0.34 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) search_words parameter in a search action to wpf.class.php or (2) togroupusers parameter in an add_user_togroup action to fs-admin/fs-admin.php. Múltiples vulnerabilidades de XSS en el plugin Mingle Forum anterior a 1.0.34 para WordPress permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través del (1) parámetro search_words en una acción de búsqueda hacia wpf.class.php o (2) parámetro togroupusers en una acción add_user_togroup hacia fs-admin/fs-admin.php. • http://osvdb.org/90432 http://osvdb.org/90433 http://secunia.com/advisories/52167 http://secunia.com/secunia_research/2013-3 http://www.securityfocus.com/bid/58059 https://exchange.xforce.ibmcloud.com/vulnerabilities/82187 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 45EXPL: 0CVE-2013-0735 – Mingle Forum <= 1.0.33.3 - SQL Injection
https://notcve.org/view.php?id=CVE-2013-0735
Multiple SQL injection vulnerabilities in wpf.class.php in the Mingle Forum plugin before 1.0.34 for WordPress allow remote attackers to execute arbitrary SQL commands via the id parameter in a viewtopic (1) remove_post, (2) sticky, or (3) closed action or (4) thread parameter in a postreply action to index.php. Múltiples vulnerabilidades de inyección SQL en wpf.class.php en el plugin Mingle Forum anterior a 1.0.34 para WordPress permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro id en un viewtopic (1) remove_post, (2) sticky o (3) closed action o un parámetro (4) thread en una acción postreply hacia index.php. • http://osvdb.org/90434 http://secunia.com/advisories/52167 http://secunia.com/secunia_research/2013-4 http://www.securityfocus.com/bid/58059 https://exchange.xforce.ibmcloud.com/vulnerabilities/82188 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 1%CPEs: 53EXPL: 4CVE-2013-1409 – CommentLuv < 2.92.4 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-1409
Cross-site scripting (XSS) vulnerability in the CommentLuv plugin before 2.92.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the _ajax_nonce parameter to wp-admin/admin-ajax.php. Vulnerabilidad de XSS en el plugin CommentLuv anterior a 2.92.4 para WordPress permite a atacantes remotos inyectar script Web o HTML arbitrarios a través del parámetro _ajax_nonce hacia wp-admin/admin-ajax.php. The CommentLuv plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the '_ajax_nonce' parameter in versions up to 2.92.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. WordPress CommentLuv version 2.92.3 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/38296 http://archives.neohapsis.com/archives/bugtraq/2013-02/0031.html http://osvdb.org/89925 http://packetstormsecurity.com/files/120090/WordPress-CommentLuv-2.92.3-Cross-Site-Scripting.html http://wordpress.org/plugins/commentluv/changelog https://www.htbridge.com/advisory/HTB23138 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 10EXPL: 1CVE-2013-1464 – Audio Player <= 2.0.4.5 - Cross-Site Scripting via playerID Parameter
https://notcve.org/view.php?id=CVE-2013-1464
Cross-site scripting (XSS) vulnerability in assets/player.swf in the Audio Player plugin before 2.0.4.6 for Wordpress allows remote attackers to inject arbitrary web script or HTML via the playerID parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en ssets/player.swf en el plugin Audio Player anterior a v2.0.4.6 para Wordpress permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro playerID. WordPress Audio Player versions prior to 2.0.4.6 suffer from a cross site scripting vulnerability in player.swf. • https://www.exploit-db.com/exploits/38300 http://insight-labs.org/?p=738 http://packetstormsecurity.com/files/120129/WordPress-Audio-Player-SWF-Cross-Site-Scripting.html http://secunia.com/advisories/52083 http://secunia.com/advisories/58854 http://wordpress.org/extend/plugins/audio-player/changelog http://www.securityfocus.com/bid/57848 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 3%CPEs: 76EXPL: 1CVE-2013-0235 – WordPress Core < 3.5.1 - Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2013-0235
The XMLRPC API in WordPress before 3.5.1 allows remote attackers to send HTTP requests to intranet servers, and conduct port-scanning attacks, by specifying a crafted source URL for a pingback, related to a Server-Side Request Forgery (SSRF) issue. La API XMLRPC en WordPress anteriores a v3.5.1 permite a a atacantes remotos a enviar peticiones HTTP a servidores de la intranet, y conducir ataques de escaneo de puertos, especificando una URL origen manipulada en la respuesta a un ping, relacionado con una falsificación de petición del lado del servidor (SSRF). • http://codex.wordpress.org/Version_3.5.1 http://core.trac.wordpress.org/changeset/23330 http://wordpress.org/news/2013/01/wordpress-3-5-1 http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability https://bugzilla.redhat.com/show_bug.cgi?id=904120 • CWE-918: Server-Side Request Forgery (SSRF) •