
CVE-2017-14723 – WordPress Core < 4.8.2 - SQL Injection via Mishandled Placeholders
https://notcve.org/view.php?id=CVE-2017-14723
19 Sep 2017 — Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks. Antes de la versión 4.8.2, WordPress no gestionaba correctamente caracteres % y valores de sustitución adicionales en $wpdb->prepare, por lo que no abordaba correctamente la posibilidad de que los plugins o los temas permitiesen los ataques de inyección SQL. • http://www.securityfocus.com/bid/100912 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVE-2017-14725 – WordPress Core < 4.8.2 - Open Redirect in Admin Dashboard
https://notcve.org/view.php?id=CVE-2017-14725
19 Sep 2017 — Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php. Antes de la versión 4.8.2, WordPress era susceptible a un ataque de redirección abierta en wp-admin/edit-tag-form.php y wp-admin/user-edit.php. • http://www.securityfocus.com/bid/100912 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVE-2017-14719 – WordPress Core < 4.8.2 - Directory Traversal during unzip
https://notcve.org/view.php?id=CVE-2017-14719
19 Sep 2017 — Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. Antes de la versión 4.8.2, WordPress era susceptible a un ataque de salto de directorio durante operaciones de descompresión en los componentes ZipArchive y PclZip. • https://github.com/PalmTreeForest/CodePath_Week_7-8 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2017-14720 – WordPress Core < 4.8.2 - Cross-Site Scripting via Template Name
https://notcve.org/view.php?id=CVE-2017-14720
19 Sep 2017 — Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. Antes de la versión 4.8.2, WordPress permitía un ataque de Cross-Site Scripting (XSS) en la vista de plantilla de lista mediante un nombre de plantilla modificado. • http://www.securityfocus.com/bid/100912 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2017-14721 – WordPress Core < 4.8.2 - Stored Cross-Site Scripting via Plugin Names
https://notcve.org/view.php?id=CVE-2017-14721
19 Sep 2017 — Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. Antes de la versión 4.8.2, WordPress permitía un ataque de Cross-Site Scripting (XSS) en el editor de plugins mediante un nombre de plugin modificado. • http://www.securityfocus.com/bid/100912 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2017-14724 – WordPress Core < 4.8.2 - Cross-Site Scripting in oEmbed
https://notcve.org/view.php?id=CVE-2017-14724
19 Sep 2017 — Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. Antes de la versión 4.8.2, WordPress era vulnerable a Cross-Site Scripting (XSS) en oEmbed Discovery. • http://www.securityfocus.com/bid/100912 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2017-9064 – WordPress Core < 4.7.5 - Cross-Site Request Forgery Filesystem Credential Update
https://notcve.org/view.php?id=CVE-2017-9064
16 May 2017 — In WordPress before 4.7.5, a Cross Site Request Forgery (CSRF) vulnerability exists in the filesystem credentials dialog because a nonce is not required for updating credentials. En WordPress antes de 4.7.5, existe una vulnerabilidad de Cross Site Request Forgery (CSRF) en el diálogo de credenciales del sistema de archivos porque no se requiere un nonce para actualizar las credenciales. Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to force pass... • http://www.debian.org/security/2017/dsa-3870 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVE-2017-9065 – WordPress Core < 4.7.5 - Authorization Bypass Allowing Post Meta Updates
https://notcve.org/view.php?id=CVE-2017-9065
16 May 2017 — In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. En WordPress anteriores a 4.7.5, hay una falta de verificaciones de capacidad para el envío de metadatos en la API XML-RPC. Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to force password resets, and perform various cross-site scripting and cross-site request forgery attacks. • http://www.debian.org/security/2017/dsa-3870 • CWE-20: Improper Input Validation CWE-285: Improper Authorization •

CVE-2017-9062 – WordPress Core < 4.7.5 - Mishandling Post Meta Values via XML-RPC
https://notcve.org/view.php?id=CVE-2017-9062
16 May 2017 — In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. En WordPress anteriores a 4.7.5, existe una manipulación incorrecta de los valores meta-datos al hacer el post en la API XML-RPC. Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to force password resets, and perform various cross-site scripting and cross-site request forgery attacks. • http://www.debian.org/security/2017/dsa-3870 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-285: Improper Authorization CWE-352: Cross-Site Request Forgery (CSRF) CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVE-2017-9066 – WordPress Core < 4.7.5 - Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2017-9066
16 May 2017 — In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. En WordPress anterior a versión 4.7.5, no hay suficiente validación de redireccionamiento en la clase de HTTP, lo que conlleva a una vulnerabilidad de tipo SSRF. Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injections and various Cross-Side Scripting (XSS) and Server-Side Request Forgery (SSRF) attacks, as well as bypass some acce... • http://www.securityfocus.com/bid/98509 • CWE-918: Server-Side Request Forgery (SSRF) •