CVSS: 6.4EPSS: 0%CPEs: 76EXPL: 1CVE-2013-0236 – WordPress Core < 3.5.1 - Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-0236
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 3.5.1 allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) gallery shortcodes or (2) the content of a post. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en WordPress anteriores a v3.5.1 permite a atacantes remotos a inyectar comandos web o HTML a través de vectores que implican (1) códigos cortos de la galería o (2) contenido de un post. • http://codex.wordpress.org/Version_3.5.1 http://core.trac.wordpress.org/changeset/23317 http://core.trac.wordpress.org/changeset/23322 http://wordpress.org/news/2013/01/wordpress-3-5-1 https://bugzilla.redhat.com/show_bug.cgi?id=904121 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 89EXPL: 1CVE-2013-0237 – WordPress Core < 3.5.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-0237
Cross-site scripting (XSS) vulnerability in Plupload.as in Moxiecode plupload before 1.5.5, as used in WordPress before 3.5.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the id parameter. Vulnerabilidad de ejecución de comandos en sitios cruzados en Plupload.as en Moxiecode Plupload anteriores a v1.5.5, como el usado en WordPress anteriores a v3.5.1 y otros productos, permiten a atacantes remotos inyectar comandos web o HTML a través del parámetro id. • http://codex.wordpress.org/Version_3.5.1 http://wordpress.org/news/2013/01/wordpress-3-5-1 https://bugzilla.redhat.com/show_bug.cgi?id=904122 https://github.com/moxiecode/plupload/commit/2d746ee9083c184f1234d8fed311e89bdd1b39e5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 21EXPL: 0CVE-2012-4920 – Forums < 1.4.4 - Directory Traversal
https://notcve.org/view.php?id=CVE-2012-4920
Directory traversal vulnerability in the zing_forum_output function in forum.php in the Zingiri Forum (aka Forums) plugin before 1.4.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the url parameter to index.php. Vulnerabilidad de salto de directorio en la función zing_forum_output en forum.php en el plugin Zingiri Forum (también conocido como Forums) anterior a 1.4.4 para WordPress permite a atacantes remotos leer archivos arbitrarios a través de un .. (punto punto) en el parámetro url hacia index.php. • http://osvdb.org/89069 http://secunia.com/advisories/50833 http://wordpress.org/plugins/zingiri-forum/changelog https://exchange.xforce.ibmcloud.com/vulnerabilities/81156 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 90%CPEs: 19EXPL: 1CVE-2012-4915 – Google Doc Embedder < 2.5.4 - Directory Traversal
https://notcve.org/view.php?id=CVE-2012-4915
Directory traversal vulnerability in the Google Doc Embedder plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to libs/pdf.php. Vulnerabilidad de salto de directorio en el plugin Google Doc Embedder anterior a 2.5.4 para WordPress permite a atacantes remotos leer archivos arbitrarios a través de un .. (punto punto) en el parámetro file en libs/pdf.php. • https://www.exploit-db.com/exploits/23970 http://osvdb.org/88891 http://secunia.com/advisories/50832 http://www.securityfocus.com/bid/57133 https://exchange.xforce.ibmcloud.com/vulnerabilities/80930 http://web.archive.org/web/20130119141940/http://secunia.com/advisories/50832 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2013-0721 – WP PHP Widget <= 1.0.2 - Full Path Disclosure
https://notcve.org/view.php?id=CVE-2013-0721
wp-php-widget.php in the WP PHP widget plugin 1.0.2 for WordPress allows remote attackers to obtain sensitive information via a direct request, which reveals the full path in an error message. wp-php-widget.php en el plugin WP PHP widget v1.0.2 para WordPress permite a atacantes remotos obtener información sensible a través de una solicitud directa, lo que revela la ruta completa de un mensaje de error. • http://osvdb.org/ref/88/wp-php-widget.txt http://www.osvdb.org/88846 https://exchange.xforce.ibmcloud.com/vulnerabilities/80906 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •