CVSS: 6.1EPSS: 0%CPEs: 78EXPL: 1CVE-2012-4264 – Better WP Security <= 3.2.4 - Multiple Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-4264
Multiple cross-site scripting (XSS) vulnerabilities in the Better WP Security (better_wp_security) plugin before 3.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "server variables," a different vulnerability than CVE-2012-4263. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en el plugin 'Better WP Security' (better_wp_security) para WordPress antes de v3.2.5 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de vectores no especificados relacionados con "variables de servidor". Se trata una vulnerabilidad diferente a CVE-2012-4263. • http://bit51.com/software/better-wp-security/changelog http://plugins.trac.wordpress.org/changeset?old_path=%2Fbetter-wp-security&old=542852&new_path=%2Fbetter-wp-security&new=542852 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 1CVE-2012-4271 – Bad Behavior < 2.0.47 & 2.2.0 - 2.2.4 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-4271
Multiple cross-site scripting (XSS) vulnerabilities in bad-behavior-wordpress-admin.php in the Bad Behavior plugin before 2.0.47 and 2.2.x before 2.2.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, (2) httpbl_key, (3) httpbl_maxage, (4) httpbl_threat, (5) reverse_proxy_addresses, or (6) reverse_proxy_header parameter. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en bad-behavior-wordpress-admin.php en el plugin 'Bad Behavior' (mala conducta) antes de v2.0.47 y v2.2.x antes de v2.2.5 para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML a través de (1) PATH_INFO, (2) httpbl_key, (3) httpbl_maxage, (4) httpbl_threat, (5) reverse_proxy_addresses, o (6) el parámetro reverse_proxy_header. • http://packetstormsecurity.org/files/112619/WordPress-Bad-Behavior-Cross-Site-Scripting.html http://plugins.trac.wordpress.org/changeset?old_path=%2Fbad-behavior&old=543807&new_path=%2Fbad-behavior&new=543807 http://www.securityfocus.com/bid/53477 https://exchange.xforce.ibmcloud.com/vulnerabilities/75521 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 20EXPL: 0CVE-2012-2920 – User Photo <= 0.9.5 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-2920
Cross-site scripting (XSS) vulnerability in the userphoto_options_page function in user-photo.php in the User Photo plugin before 0.9.5.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to wp-admin/options-general.php. NOTE: some of these details are obtained from third party information. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la función userphoto_options_page de user-photo.php del complemento User Photo en versiones anteriores a la 0.9.5.2 de WordPress. Permite a atacantes remotos inyectar codigo de script web o código HTML de su elección a través de PATH_INFO de wp-admin/options-general.php. NOTA: algunos de estos detalles han sido obtenidos de información procedente de terceras partes. • http://osvdb.org/81806 http://plugins.trac.wordpress.org/changeset?old_path=%2Fuser-photo&old=541880&new_path=%2Fuser-photo&new=541880 http://secunia.com/advisories/49100 http://wordpress.org/extend/plugins/user-photo/changelog http://www.securityfocus.com/bid/53449 https://exchange.xforce.ibmcloud.com/vulnerabilities/75496 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 15EXPL: 1CVE-2012-4283 – Login With Ajax < 3.0.4.1 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-4283
Cross-site scripting (XSS) vulnerability in the Login With Ajax plugin before 3.0.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the callback parameter. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en el plugin 'Login With Ajax' antes de v3.0.4.1 para WordPress permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro de devolución de llamada (callback). • http://plugins.trac.wordpress.org/changeset/541069 http://secunia.com/advisories/49013 http://wordpress.org/extend/plugins/login-with-ajax/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 83EXPL: 3CVE-2012-1936 – WordPress Core 3.3.1 - Multiple Cross-Site Request Forgery Vulnerabilities
https://notcve.org/view.php?id=CVE-2012-1936
The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts. NOTE: the vendor reportedly disputes the significance of this issue because wp_create_nonce operates as intended, even if it is arguably inconsistent with certain CSRF protection details advocated by external organizations ** EN DISPUTA ** La función wp_create_nonce en wp-includes/pluggable.php en WordPress v3.3.1 y anteriores asocia un "nomce" con una cuenta de usuario en lugar de con una sesión de usuario, lo que facilita a atacantes remotos realizar ataques de falsificación de petición en sitios cruzados (CSRF) en acciones específicas y objetos espiando el tráfico de la red, como se demostró con el ataque contra los scripts wp-admin/admin-ajax.php y wp-admin/user-new.php. NOTA: El desarrollador disputa la importancia de este problema, por que wp_create_nonce funciona como está previsto incluso si es incompatible con algunas protecciones CSRF incorporadas por organizaciones externas. WordPress version 3.3.1 suffers from multiple cross site request forgery vulnerabilities. • https://www.exploit-db.com/exploits/18791 http://www.exploit-db.com/exploits/18791 http://www.securityfocus.com/bid/53280 http://www.webapp-security.com/2012/04/wordpress-3-3-1-multiple-csrf-vulnerabilities http://www.webapp-security.com/wp-content/uploads/2012/04/Wordpress-3.3.1-Multiple-CSRF-Vulnerabilities6.txt • CWE-352: Cross-Site Request Forgery (CSRF) •