Page 74 of 660 results (0.005 seconds)

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 2

CVE-2011-5182 – WordPress Plugin Lanoba Social 1.0 - 'action' Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2011-5182

Cross-site scripting (XSS) vulnerability in lanoba-social-plugin/index.php in the Lanoba Social plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter. NOTE: the vendor disputes this issue, stating "Lanoba's plug in does sanitize user input, and because that input is never sent to the browser, an attacker has no way of executing script or code on a user's behalf. ** EN DISPUTA ** Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en lanoba-social-plugin/index.php en el plugin Lanoba Social para WordPress v1.0, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro 'action'. NOTA: El vendendor no esta de acuerdo con este problema, alegando que Lanoba no limpia la entrada del usuario, y debido a que la entrada nunca se envía al navegador, un atacante no tiene manera de ejecutar un script o cualquier tipo de código en nombre de otro usuario". • https://www.exploit-db.com/exploits/36326 http://www.securityfocus.com/archive/1/520574/100/0/threaded http://www.securityfocus.com/archive/1/520678/100/0/threaded http://www.securityfocus.com/bid/50746 https://exchange.xforce.ibmcloud.com/vulnerabilities/71411 https://wordpress.org/support/topic/plugin-lanoba-social-plugin-xss-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2

CVE-2012-4242 – MF Gig Calendar <= 0.9.4.1 - Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2012-4242

Cross-site scripting (XSS) vulnerability in the MF Gig Calendar plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el complemento MF Gig Calendar para WordPress, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de la cadena de consulta en la página de calendario. Cross-site scripting (XSS) vulnerability in the MF Gig Calendar plugin < 0.9.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page. WordPress MF Gig Calendar plugin version 0.9.2 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/37829 http://www.reactionpenetrationtesting.co.uk/mf-gig-calendar-xss.html http://www.securityfocus.com/bid/55622 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.3EPSS: 0%CPEs: 87EXPL: 1

CVE-2012-4421 – WordPress Core < 3.4.2 - Missing Authorization Checks on create_post

https://notcve.org/view.php?id=CVE-2012-4421

The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature. La función create_post en wp-includes/class-wp-atom-server.php en WordPress antes de v3.4.2 no realiza determinadas comprobaciones, lo que permite a usuarios remotos autenticados eludir restricciones de acceso y publicar nuevos mensajes aprovechándose del rol de Colaborador y usando el Protocolo de Publicación (Conocido como AtomPub). • http://codex.wordpress.org/Version_3.4.2 http://core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.4.1&old=21780&new_path=%2Ftags%2F3.4.2&new=21780#file2 http://openwall.com/lists/oss-security/2012/09/13/4 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •

CVSS: 3.8EPSS: 0%CPEs: 88EXPL: 1

CVE-2012-4422 – WordPress Core < 3.4.2 - Missing Authorization Checks

https://notcve.org/view.php?id=CVE-2012-4422

wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role. wp-admin/plugins.php en WordPress anterior a v3.4.2, cuando la característica multisitio está activada, no comprueba los privilegios de administrador de red antes de llevar a cabo la activación de red de un plugin instalado, lo cual podría permitir a usuarios remotos autenticados para realizar cambios no deseados del plugin mediante el aprovechamiento de la función de administrador. • http://codex.wordpress.org/Version_3.4.2 http://core.trac.wordpress.org/changeset?old_path=%2Ftags%2F3.4.1&old=21780&new_path=%2Ftags%2F3.4.2&new=21780#file42 http://openwall.com/lists/oss-security/2012/09/13/4 • CWE-264: Permissions, Privileges, and Access Controls CWE-862: Missing Authorization •

CVSS: 6.1EPSS: 1%CPEs: 55EXPL: 2

CVE-2011-4926 – Adminimize <= 1.7.21 - Cross-Site Scripting

https://notcve.org/view.php?id=CVE-2011-4926

Cross-site scripting (XSS) vulnerability in adminimize/adminimize_page.php in the Adminimize plugin before 1.7.22 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS)en adminimize/adminimize_page.php en el plugin anterior a v1.7.22 para WordPress permite a atacantes remotos inyectar código web o HTML a través del parámetro page. • https://www.exploit-db.com/exploits/36325 http://plugins.trac.wordpress.org/changeset?reponame=&new=467338%40adminimize&old=466900%40adminimize#file5 http://wordpress.org/extend/plugins/adminimize/changelog http://www.openwall.com/lists/oss-security/2012/01/05/10 http://www.openwall.com/lists/oss-security/2012/01/10/9 http://www.osvdb.org/77472 http://www.securityfocus.com/archive/1/520591 http://www.securityfocus.com/archive/1/520591/100/0/threaded http://www.securityfocus • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •