CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-10100 – WordPress Core < 4.9.5 - Open Redirect
https://notcve.org/view.php?id=CVE-2018-10100
03 Apr 2018 — Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. En versiones anteriores a la 4.9.5 de WordPress, la URL de redirección para la página de inicio de sesión no se validó o saneó si se forzó el uso de HTTPS. Several vulnerabilities were discovered in wordpress, a web blogging tool, which could allow remote attackers to compromise a site via cross-site scripting, bypass restrictions or unsafe redirects. • http://www.securitytracker.com/id/1040836 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-10101 – WordPress Core < 4.9.5 - Security Misconfiguration with URL Hostnames
https://notcve.org/view.php?id=CVE-2018-10101
03 Apr 2018 — Before WordPress 4.9.5, the URL validator assumed URLs with the hostname localhost were on the same host as the WordPress server. En versiones anteriores a la 4.9.5 de WordPress, el validador de URL asumía URL con el nombre de host del localhost en el mismo host que el servidor de WordPress. Several vulnerabilities were discovered in wordpress, a web blogging tool, which could allow remote attackers to compromise a site via cross-site scripting, bypass restrictions or unsafe redirects. • http://www.securityfocus.com/bid/104350 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2018-10102 – WordPress Core < 4.9.5 - Authenticated Stored Cross-Site Scripting via Generator Tag
https://notcve.org/view.php?id=CVE-2018-10102
03 Apr 2018 — Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. En versiones anteriores a la 4.9.5 de WordPress, la cadena de versión no se escapó en la función get_the_generator, lo que podría conducir a Cross-Site Scripting (XSS) en una etiqueta generator. Several vulnerabilities were discovered in wordpress, a web blogging tool, which could allow remote attackers to compromise a site via cross-site scripting, bypass restrictions or u... • http://www.securityfocus.com/bid/103775 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 15%CPEs: 1EXPL: 27CVE-2018-6389 – WordPress Core < 5.0 - Denial of Service
https://notcve.org/view.php?id=CVE-2018-6389
05 Feb 2018 — In WordPress through 4.9.2, unauthenticated attackers can cause a denial of service (resource consumption) by using the large list of registered .js files (from wp-includes/script-loader.php) to construct a series of requests to load every file many times. En WordPress hasta la versión 4.9.2, los atacantes no autenticados puede provocar una denegación de servicio (consumo de recursos) utilizando una lista grande de archivos .js registrados (de wp-includes/script-loader.php) para construir una serie de petic... • https://packetstorm.news/files/id/146249 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-5776 – WordPress Core < 4.9.2 - Authenticated Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-5776
16 Jan 2018 — WordPress before 4.9.2 has XSS in the Flash fallback files in MediaElement (under wp-includes/js/mediaelement). WordPress en versiones anteriores a la 4.9.2 tiene XSS en los archivos Flash de reserva en MediaElement (en wp-includes/js/mediaelement). • https://codex.wordpress.org/Version_4.9.2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-17091 – WordPress Core < 4.9.1 - Authorization Bypass
https://notcve.org/view.php?id=CVE-2017-17091
29 Nov 2017 — wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string. wp-admin/user-new.php en WordPress en versiones anteriores a la 4.9.1 establece la clave newbloguser a una cadena que se puede derivar directamente del ID de usuario, lo que permite que los atacantes remotos omitan las restricciones de acceso planeadas introduciendo esta cadena. Severa... • http://www.securityfocus.com/bid/102024 • CWE-285: Improper Authorization CWE-330: Use of Insufficiently Random Values •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2017-17092 – WordPress Core < 4.9.1 - Authenticated Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-17092
29 Nov 2017 — wp-includes/functions.php in WordPress before 4.9.1 does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file. wp-includes/functions.php en WordPress en versiones anteriores a la 4.9.1 no necesita la capacidad de unfiltered_html para subir archivos .js, lo que puede permitir que los atacantes remotos realicen ataques Cross-Site Scripting (XSS) mediante un archivo manipulado. Several vulnerabilities were discovered in... • http://www.securityfocus.com/bid/102024 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2017-17093 – WordPress Core < 4.9.1- Stored Cross-Site Scripting via Language
https://notcve.org/view.php?id=CVE-2017-17093
29 Nov 2017 — wp-includes/general-template.php in WordPress before 4.9.1 does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site. wp-includes/general-template.php en WordPress en versiones anteriores a la 4.9.1 no restringe correctamente el atributo lang de un elemento HTML, lo que puede permitir que los atacantes realicen ataques Cross-Site Scripting (XSS) mediante la configuración de idioma de un sitio web. Several vulnerabi... • http://www.securityfocus.com/bid/102024 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2017-17094 – WordPress Core < 4.9.1 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-17094
29 Nov 2017 — wp-includes/feed.php in WordPress before 4.9.1 does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. wp-includes/feed.php en WordPress en versiones anteriores a la 4.9.1 no restringe contenedores en los campos RSS y Atom, lo que puede permitir que los atacantes realicen ataques Cross-Site Scripting (XSS) mediante una URL manipulada. Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote atta... • http://www.securityfocus.com/bid/102024 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2017-16510 – WordPress Core < 4.8.3 - SQL Injection due to Double Prepare approach
https://notcve.org/view.php?id=CVE-2017-16510
31 Oct 2017 — WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723. WordPress en versiones anteriores a la 4.8.3 se ve afectado por un problema en el que $wpdb->prepare() puede crear consultas inseguras e inesperadas que podrían provocar una inyección SQL (SQLi) en plugins y temas, tal y como se ve en el enf... • http://www.securityfocus.com/bid/101638 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •