CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2012-4448
https://notcve.org/view.php?id=CVE-2012-4448
Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action. Una vulnerabilidad de falsificación de peticiones en sitios cruzados (CSRF) en wp-admin/index.php en WordPress v3.4.2 permite a atacantes remotos secuestrar la autenticación de las solicitudes de administradores que modifican una URL de un RSS a través de una acción de edición dashboard_incoming_links. • http://openwall.com/lists/oss-security/2012/09/25/15 http://packetstormsecurity.org/files/116785/WordPress-3.4.2-Cross-Site-Request-Forgery.html http://secunia.com/advisories/50715 https://bugs.gentoo.org/show_bug.cgi?id=436198 https://bugzilla.redhat.com/show_bug.cgi?id=860261 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 3CVE-2011-5194 – WHOIS <= 1.4.2.2 - Reflected Cross Site Scripting
https://notcve.org/view.php?id=CVE-2011-5194
Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin before 1.4.2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the domain parameter, a different vulnerability than CVE-2011-5193. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en vendors/samswhois/samswhois.inc.php en el plugin de búsqueda Whois para WordPress antes de v1.4.2.3 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro de dominio (domain). Se trata de una vulnerabilidad diferente a CVE-2011-5193. • http://packetstormsecurity.org/files/view/108271/wpwhois-xss.txt http://plugins.trac.wordpress.org/changeset/482954/wordpress-whois-search http://secunia.com/advisories/47428 http://wordpress.org/extend/plugins/wordpress-whois-search/changelog http://www.securityfocus.com/bid/51244 https://exchange.xforce.ibmcloud.com/vulnerabilities/72074 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2011-5193 – WHOIS <= 1.4.2.4 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-5193
Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin 1.4.2.3 for WordPress, when the WHOIS widget is enabled, allows remote attackers to inject arbitrary web script or HTML via the domain parameter to index.php, a different vulnerability than CVE-2011-5194. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en vendors/samswhois/samswhois.inc.php en el plugin de búsqueda Whois para WordPress v1.4.2.3, cuando el widget WHOIS está activado, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro de dominio (doamin) a index.php. Se trata de una vulnerabilidad diferente a CVE-2011-5194a • https://www.exploit-db.com/exploits/36488 http://secunia.com/advisories/47428 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 2CVE-2011-5182 – WordPress Plugin Lanoba Social 1.0 - 'action' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-5182
Cross-site scripting (XSS) vulnerability in lanoba-social-plugin/index.php in the Lanoba Social plugin 1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via the action parameter. NOTE: the vendor disputes this issue, stating "Lanoba's plug in does sanitize user input, and because that input is never sent to the browser, an attacker has no way of executing script or code on a user's behalf. ** EN DISPUTA ** Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en lanoba-social-plugin/index.php en el plugin Lanoba Social para WordPress v1.0, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro 'action'. NOTA: El vendendor no esta de acuerdo con este problema, alegando que Lanoba no limpia la entrada del usuario, y debido a que la entrada nunca se envía al navegador, un atacante no tiene manera de ejecutar un script o cualquier tipo de código en nombre de otro usuario". • https://www.exploit-db.com/exploits/36326 http://www.securityfocus.com/archive/1/520574/100/0/threaded http://www.securityfocus.com/archive/1/520678/100/0/threaded http://www.securityfocus.com/bid/50746 https://exchange.xforce.ibmcloud.com/vulnerabilities/71411 https://wordpress.org/support/topic/plugin-lanoba-social-plugin-xss-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 2CVE-2012-4242 – MF Gig Calendar <= 0.9.4.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-4242
Cross-site scripting (XSS) vulnerability in the MF Gig Calendar plugin 0.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el complemento MF Gig Calendar para WordPress, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de la cadena de consulta en la página de calendario. Cross-site scripting (XSS) vulnerability in the MF Gig Calendar plugin < 0.9.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the calendar page. WordPress MF Gig Calendar plugin version 0.9.2 suffers from a cross site scripting vulnerability. • https://www.exploit-db.com/exploits/37829 http://www.reactionpenetrationtesting.co.uk/mf-gig-calendar-xss.html http://www.securityfocus.com/bid/55622 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •