
CVE-2017-14720 – WordPress Core < 4.8.2 - Cross-Site Scripting via Template Name
https://notcve.org/view.php?id=CVE-2017-14720
19 Sep 2017 — Before version 4.8.2, WordPress allowed a Cross-Site scripting attack in the template list view via a crafted template name. Antes de la versión 4.8.2, WordPress permitía un ataque de Cross-Site Scripting (XSS) en la vista de plantilla de lista mediante un nombre de plantilla modificado. • http://www.securityfocus.com/bid/100912 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2017-14721 – WordPress Core < 4.8.2 - Stored Cross-Site Scripting via Plugin Names
https://notcve.org/view.php?id=CVE-2017-14721
19 Sep 2017 — Before version 4.8.2, WordPress allowed Cross-Site scripting in the plugin editor via a crafted plugin name. Antes de la versión 4.8.2, WordPress permitía un ataque de Cross-Site Scripting (XSS) en el editor de plugins mediante un nombre de plugin modificado. • http://www.securityfocus.com/bid/100912 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2017-14724 – WordPress Core < 4.8.2 - Cross-Site Scripting in oEmbed
https://notcve.org/view.php?id=CVE-2017-14724
19 Sep 2017 — Before version 4.8.2, WordPress was vulnerable to cross-site scripting in oEmbed discovery. Antes de la versión 4.8.2, WordPress era vulnerable a Cross-Site Scripting (XSS) en oEmbed Discovery. • http://www.securityfocus.com/bid/100912 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2017-14725 – WordPress Core < 4.8.2 - Open Redirect in Admin Dashboard
https://notcve.org/view.php?id=CVE-2017-14725
19 Sep 2017 — Before version 4.8.2, WordPress was susceptible to an open redirect attack in wp-admin/edit-tag-form.php and wp-admin/user-edit.php. Antes de la versión 4.8.2, WordPress era susceptible a un ataque de redirección abierta en wp-admin/edit-tag-form.php y wp-admin/user-edit.php. • http://www.securityfocus.com/bid/100912 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVE-2017-14718 – WordPress Core < 4.8.2 - Cross-Site Scripting via Javascript: and Data: URLs
https://notcve.org/view.php?id=CVE-2017-14718
19 Sep 2017 — Before version 4.8.2, WordPress was susceptible to a Cross-Site Scripting attack in the link modal via a javascript: or data: URL. Antes de la versión 4.8.2, WordPress era susceptible a un ataque de Cross-Site Scripting (XSS) en el modal de enlace mediante una URL javascript: o data:. • http://www.securityfocus.com/bid/100912 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2017-14719 – WordPress Core < 4.8.2 - Directory Traversal during unzip
https://notcve.org/view.php?id=CVE-2017-14719
19 Sep 2017 — Before version 4.8.2, WordPress was vulnerable to a directory traversal attack during unzip operations in the ZipArchive and PclZip components. Antes de la versión 4.8.2, WordPress era susceptible a un ataque de salto de directorio durante operaciones de descompresión en los componentes ZipArchive y PclZip. • https://github.com/PalmTreeForest/CodePath_Week_7-8 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2017-9065 – WordPress Core < 4.7.5 - Authorization Bypass Allowing Post Meta Updates
https://notcve.org/view.php?id=CVE-2017-9065
16 May 2017 — In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API. En WordPress anteriores a 4.7.5, hay una falta de verificaciones de capacidad para el envío de metadatos en la API XML-RPC. Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to force password resets, and perform various cross-site scripting and cross-site request forgery attacks. • http://www.debian.org/security/2017/dsa-3870 • CWE-20: Improper Input Validation CWE-285: Improper Authorization •

CVE-2017-9062 – WordPress Core < 4.7.5 - Mishandling Post Meta Values via XML-RPC
https://notcve.org/view.php?id=CVE-2017-9062
16 May 2017 — In WordPress before 4.7.5, there is improper handling of post meta data values in the XML-RPC API. En WordPress anteriores a 4.7.5, existe una manipulación incorrecta de los valores meta-datos al hacer el post en la API XML-RPC. Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to force password resets, and perform various cross-site scripting and cross-site request forgery attacks. • http://www.debian.org/security/2017/dsa-3870 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-285: Improper Authorization CWE-352: Cross-Site Request Forgery (CSRF) CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •

CVE-2017-9066 – WordPress Core < 4.7.5 - Server-Side Request Forgery
https://notcve.org/view.php?id=CVE-2017-9066
16 May 2017 — In WordPress before 4.7.5, there is insufficient redirect validation in the HTTP class, leading to SSRF. En WordPress anterior a versión 4.7.5, no hay suficiente validación de redireccionamiento en la clase de HTTP, lo que conlleva a una vulnerabilidad de tipo SSRF. Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform SQL injections and various Cross-Side Scripting (XSS) and Server-Side Request Forgery (SSRF) attacks, as well as bypass some acce... • http://www.securityfocus.com/bid/98509 • CWE-918: Server-Side Request Forgery (SSRF) •

CVE-2017-9061 – WordPress Core < 4.7.5 - Stored Cross-Site Scripting via filenames
https://notcve.org/view.php?id=CVE-2017-9061
16 May 2017 — In WordPress before 4.7.5, a cross-site scripting (XSS) vulnerability exists when attempting to upload very large files, because the error message does not properly restrict presentation of the filename. En WordPress anteriores a 4.7.5, existe una vulnerabilidad XSS (cross-site scripting) al intentar cargar archivos muy grandes, porque el mensaje de error no restringe adecuadamente la presentación del nombre de archivo. Several vulnerabilities were discovered in wordpress, a web blogging tool. They would al... • http://www.debian.org/security/2017/dsa-3870 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •