CVSS: 5.3EPSS: 1%CPEs: 101EXPL: 1CVE-2009-2432 – WordPress Core & WordPress MU < 2.8.1 - Full Path Disclosure
https://notcve.org/view.php?id=CVE-2009-2432
10 Jul 2009 — WordPress and WordPress MU before 2.8.1 allow remote attackers to obtain sensitive information via a direct request to wp-settings.php, which reveals the installation path in an error message. WordPress y WordPress MU antes de v2.8.1 permite a atacantes remotos obtener información sensible a través de una solicitud directa a wp-settings.php, el cual revela la ruta de instalación en un mensaje de error. • http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.3EPSS: 85%CPEs: 2EXPL: 3CVE-2009-2335 – WordPress Core & WordPress MU < 2.8.1 - Username Enumeration
https://notcve.org/view.php?id=CVE-2009-2335
09 Jul 2009 — WordPress and WordPress MU before 2.8.1 exhibit different behavior for a failed login attempt depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience." WordPress y WordPress MU anterior a v2.8.1 expone un comportamiento diferente para un intento fallido de acceso en función de si existe la cuenta de usuario, lo cual permite a atacant... • https://www.exploit-db.com/exploits/17702 • CWE-16: Configuration CWE-204: Observable Response Discrepancy •
CVSS: 6.1EPSS: 16%CPEs: 101EXPL: 5CVE-2009-2334 – WordPress Core <= 2.8 - Sensitive Information Disclosure
https://notcve.org/view.php?id=CVE-2009-2334
09 Jul 2009 — wp-admin/admin.php in WordPress and WordPress MU before 2.8.1 does not require administrative authentication to access the configuration of a plugin, which allows remote attackers to specify a configuration file in the page parameter to obtain sensitive information or modify this file, as demonstrated by the (1) collapsing-archives/options.txt, (2) akismet/readme.txt, (3) related-ways-to-take-action/options.php, (4) wp-security-scan/securityscan.php, and (5) wp-ids/ids-admin.php files. NOTE: this can be lev... • https://www.exploit-db.com/exploits/9110 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 2%CPEs: 2EXPL: 2CVE-2009-2336 – WordPress Core & WordPress MU < 2.8.1 - Username Enumeration
https://notcve.org/view.php?id=CVE-2009-2336
09 Jul 2009 — The forgotten mail interface in WordPress and WordPress MU before 2.8.1 exhibits different behavior for a password request depending on whether the user account exists, which allows remote attackers to enumerate valid usernames. NOTE: the vendor reportedly disputes the significance of this issue, indicating that the behavior exists for "user convenience." El interfaz de correo olvidado en WordPress y WordPress MU anterior a v2.8.1 muestra diferentes comportamientos para una petición de contraseña dependiend... • http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked • CWE-16: Configuration CWE-203: Observable Discrepancy •
CVSS: 6.4EPSS: 1%CPEs: 26EXPL: 1CVE-2009-1030 – WordPress MU < 2.7 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2009-1030
10 Mar 2009 — Cross-site scripting (XSS) vulnerability in the choose_primary_blog function in wp-includes/wpmu-functions.php in WordPress MU (WPMU) before 2.7 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la función choose_primary_blog en wp-includes/wpmu-functions.php en WordPress MU (WPMU) anterior a v2.7 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de la cabe... • https://www.exploit-db.com/exploits/8196 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 6EXPL: 2CVE-2008-4671 – WordPress MU < 2.6 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2008-4671
01 Sep 2008 — Cross-site scripting (XSS) vulnerability in wp-admin/wp-blogs.php in Wordpress MU (WPMU) before 2.6 allows remote attackers to inject arbitrary web script or HTML via the (1) s and (2) ip_address parameters. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el archivo wp-admin/wp-blogs.php en Wordpress MU (WPMU), en versiones anteriores a 2.6, que permite a los atacantes remotos inyectar arbitrariamente una secuencia de comandos web o HTML a través de los parámetros (1) s y (... • https://www.exploit-db.com/exploits/32444 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 17%CPEs: 2EXPL: 3CVE-2008-5695 – WordPress Core < 2.3.3 & WordPress MU < 1.3.2 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2008-5695
08 Sep 2007 — wp-admin/options.php in WordPress MU before 1.3.2, and WordPress 2.3.2 and earlier, does not properly validate requests to update an option, which allows remote authenticated users with manage_options and upload_files capabilities to execute arbitrary code by uploading a PHP script and adding this script's pathname to active_plugins. wp-admin/options.php en versiones de WordPress MU anteriores a la 1.3.2, y WordPress 2.3.2 y anteriores, no valida las solicitudes de actualización de una opción, lo que permit... • https://www.exploit-db.com/exploits/5066 • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2007-4544 – WordPress MU <= 1.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2007-4544
22 Aug 2007 — Cross-site scripting (XSS) vulnerability in wp-newblog.php in WordPress multi-user (MU) 1.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the weblog_id parameter (Username field). Vulnerabilidad de secuencia de comandos en sitios cruzados (XSS) en wp-newblog.php en WordPress multi-user (MU) 1.0 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro weblog_id (campo Username). • http://osvdb.org/38442 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2007-3543 – WordPress Core <= 2.2 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2007-3543
03 Jul 2007 — Unrestricted file upload vulnerability in WordPress before 2.2.1 and WordPress MU before 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code by making a post that specifies a .php filename in the _wp_attached_file metadata field; and then sending this file's content, along with its post_ID value, to (1) wp-app.php or (2) app.php. Vulnerabilidad de fichero de archivo no restringido en WordPress anterior a 2.2.1 y WordPress MU anterior a 1.2.3 permite a usuarios autenticados remot... • http://osvdb.org/37295 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 1%CPEs: 2EXPL: 0CVE-2007-3544 – WordPress Core <= 2.2.1 - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2007-3544
03 Jul 2007 — Unrestricted file upload vulnerability in (1) wp-app.php and (2) app.php in WordPress 2.2.1 and WordPress MU 1.2.3 allows remote authenticated users to upload and execute arbitrary PHP code via unspecified vectors, possibly related to the wp_postmeta table and the use of custom fields in normal (non-attachment) posts. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2007-3543. Vulnerabilidad e envío de archivo no restringido en (1) wp-app.php y (2) app.php de WordPresss 2.2.1 y WordPr... • http://osvdb.org/37294 • CWE-434: Unrestricted Upload of File with Dangerous Type •