CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 2CVE-2012-5388 – White Label CMS < 1.5.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-5388
Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, a related issue to CVE-2012-5387. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en wlcms-plugin.php en el plugin White Label CMS v1.5 para WordPress, permite a usuarios remotor atuenticados a inyectar secuencias de comandos web o HTML a través del parámetro wlcms_o_developer_name en una acción save sobre wp-admin/admin.php, está relacionado con CVE-2012-5387. White Label CMS version 1.5 suffers from cross site request forgery and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/22156 http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html http://wordpress.org/extend/plugins/white-label-cms/changelog http://www.exploit-db.com/exploits/22156 http://www.securityfocus.com/bid/56166 https://exchange.xforce.ibmcloud.com/vulnerabilities/79522 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 17EXPL: 2CVE-2012-5387 – White Label CMS < 1.5.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-5387
Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify the developer name via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, as demonstrated by a developer name containing XSS sequences. Múltiples vulnerabilidades de falsificación de petición en sitios cruzados (CSRF) en wlcms-plugin.php en el plugin White Label CMS anteriores a v1.5.1 para WordPress, permite a atacantes remotos secuestrar la autenticación de los administradores para peticiones que piden que modifique el nombre del desarrollador a través del parámetro wlcms_o_developer_name en una acción save sobre wp-admin/admin.php, como se demostró por el nombre de desarrollador que contiene secuencias XSS. White Label CMS version 1.5 suffers from cross site request forgery and cross site scripting vulnerabilities. • https://www.exploit-db.com/exploits/22156 http://osvdb.org/86568 http://packetstormsecurity.org/files/117590/White-Label-CMS-1.5-Cross-Site-Request-Forgery-Cross-Site-Scripting.html http://wordpress.org/extend/plugins/white-label-cms/changelog http://www.exploit-db.com/exploits/22156 http://www.securityfocus.com/bid/56166 https://exchange.xforce.ibmcloud.com/vulnerabilities/79520 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 0%CPEs: 44EXPL: 1CVE-2012-5327 – Mingle Forum <= 1.0.32.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2012-5327
Multiple SQL injection vulnerabilities in fs-admin/fs-admin.php in the Mingle Forum plugin 1.0.32.1 and other versions before 1.0.33 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) delete_usrgrp[] parameter in a delete_usergroups action, (2) usergroup parameter in an add_user_togroup action, or (3) add_forum_group_id parameter in an add_forum_submit action. Múltiples vulnerabilidades de inyección SQL en el complemento Mingle Forum v1.0.32.1 y otras versiones antes de v1.0.33 para WordPress podría permitir a usuarios remotos autenticados ejecutar comandos SQL a través de el parámetro(1) delete_usrgrp[] en una acción delete_usergroups, el parámetro (2) usergroup en una acción add_user_togroup, o el parámetro (3) add_forum_group_id en una acción add_forum_submit. • http://packetstormsecurity.org/files/view/108915/wpmingleforum-sqlxss.txt http://plugins.trac.wordpress.org/changeset?reponame=&new=492859%40mingle-forum&old=487353%40mingle-forum http://wordpress.org/extend/plugins/mingle-forum/changelog https://exchange.xforce.ibmcloud.com/vulnerabilities/72641 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 44EXPL: 0CVE-2012-5328 – Mingle Forum <= 1.0.32.1 - SQL Injection
https://notcve.org/view.php?id=CVE-2012-5328
Multiple SQL injection vulnerabilities in the Mingle Forum plugin 1.0.32.1 and other versions before 1.0.33 for WordPress might allow remote authenticated users to execute arbitrary SQL commands via the (1) memberid or (2) groupid parameters in a removemember action or (3) id parameter to fs-admin/fs-admin.php, or (4) edit_forum_id parameter in an edit_save_forum action to fs-admin/wpf-edit-forum-group.php. Múltiples vulnerabilidades de inyección SQL en el complemento Mingle Forum v1.0.32.1 y otras versiones antes de v1.0.33 para WordPress podría permitir a usuarios remotos autenticados ejecutar comandos SQL a través de los parámetros (1) memberid o (2) groupid en una acción removemember o el parámetro (3) id a fs-admin/fs-admin.php, o el parámetro (4) edit_forum_id parameter en una acción edit_save_forum a fs-admin/wpf-edit-forum-group.php. • http://plugins.trac.wordpress.org/changeset?reponame=&new=492859%40mingle-forum&old=487353%40mingle-forum http://wordpress.org/extend/plugins/mingle-forum/changelog • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 68EXPL: 0CVE-2012-5310 – WP eCommerce < 3.8.7.6 - SQL Injection
https://notcve.org/view.php?id=CVE-2012-5310
SQL injection vulnerability in the WP e-Commerce plugin before 3.8.7.6 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en el plugin WP e-Commerce anterior a v3.8.7.6 para WordPress, permite a atacantes remotos ejecutar comandos SQL de su elección a través de vectores desconocidos • http://secunia.com/advisories/47627 http://wordpress.org/extend/plugins/wp-e-commerce/changelog http://www.securityfocus.com/bid/51637 https://exchange.xforce.ibmcloud.com/vulnerabilities/72622 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •