CVE-2015-5533 – Count per Day <= 3.4 - Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2015-5533
SQL injection vulnerability in counter-options.php in the Count Per Day plugin before 3.4.1 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the cpd_keep_month parameter to wp-admin/options-general.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands. Vulnerabilidad de inyección SQL en counter-options.php en el plugin Cout Per Day en versiones anteriores a la 3.4.1 para WordPress permite que administradores remotos autenticados ejecuten comandos SQL arbitrarios mediante el parámetro cpd_keep_month a wp-admin/options-general.php. NOTA: se puede explotar mediante Cross-Site Request Forgery (CSRF) para permitir a atacantes remotos ejecutar comandos SQL arbitrarios. WordPress Count Per Day plugin version 3.4 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/37707 http://packetstormsecurity.com/files/132811/WordPress-Count-Per-Day-3.4-SQL-Injection.html http://www.securityfocus.com/archive/1/536056/100/0/threaded https://plugins.trac.wordpress.org/changeset/1190683/count-per-day https://wpvulndb.com/vulnerabilities/8110 https://www.htbridge.com/advisory/HTB23267 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2013-7472 – Count per Day < 3.2.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2013-7472
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter. El complemento "Count per Day" anterior a 3.2.6 para WordPress permite XSS a través del parámetro wp-admin /? Page = cpd_metaboxes daytoshow. • https://lists.openwall.net/full-disclosure/2013/03/05/2 https://wordpress.org/plugins/count-per-day/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-6714 – Count per Day Plugin < 3.2.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2012-6714
The count-per-day plugin before 3.2.3 for WordPress has XSS via search words. El plugin count-per-day anterior a la versión 3.2.3 para WordPress tiene XSS a través de palabras de búsqueda. • https://wordpress.org/plugins/count-per-day/#developers • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-0896 – Count per Day <= 3.1 - Arbitrary File Download
https://notcve.org/view.php?id=CVE-2012-0896
Absolute path traversal vulnerability in download.php in the Count Per Day module before 3.1.1 for WordPress allows remote attackers to read arbitrary files via the f parameter. Una vulnerabilidad de salto de directorio abosluto en download.php en el modulo de Wordpress llamado "Count Per Day" antes de su versión v3.1.1, permite a atacantes remotos leer ficheros de su elección mediante el parámetro 'f'. • https://www.exploit-db.com/exploits/18355 http://osvdb.org/78270 http://packetstormsecurity.org/files/108631/countperday-downloadxss.txt http://plugins.trac.wordpress.org/changeset/488883/count-per-day http://secunia.com/advisories/47529 http://wordpress.org/extend/plugins/count-per-day/changelog http://www.exploit-db.com/exploits/18355 http://www.securityfocus.com/bid/51402 https://exchange.xforce.ibmcloud.com/vulnerabilities/72385 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •