Download
| Alert*
oval:org.secpod.oval:def:2000209
In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could modify new comments made by users with greater privileges, possibly causing XSS. oval:org.secpod.oval:def:55472 Simon Scannell of Ripstech Technologies discovered multiple vulnerabilities in wordpress, a web blogging manager. oval:org.secpod.oval:def:2000857 In WordPress before 4.9.9 and 5.x before 5.0.1, the user-activation page could be read by a search engine"s web crawler if an unusual configuration were chosen. The search engine could then index and display a user"s e-mail address and the password that was generated by default. oval:org.secpod.oval:def:2000593 In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins. oval:org.secpod.oval:def:2001328 In WordPress before 4.9.9 and 5.x before 5.0.1, authors could modify metadata to bypass intended restrictions on deleting files. oval:org.secpod.oval:def:2001058 In WordPress before 4.9.9 and 5.x before 5.0.1, authors could bypass intended restrictions on post types via crafted input. oval:org.secpod.oval:def:2001315 In WordPress before 4.9.9 and 5.x before 5.0.1, when the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data. oval:org.secpod.oval:def:108871 Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. Important information in /usr/share/doc/wordpress/README.fedora oval:org.secpod.oval:def:107977 Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. Important information in /usr/share/doc/wordpress/README.fedora oval:org.secpod.oval:def:106881 Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. Important information in /usr/share/doc/wordpress-3.8.3/README.fedora oval:org.secpod.oval:def:107348 Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. Important information in /usr/share/doc/wordpress/README.fedora oval:org.secpod.oval:def:107987 Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. Important information in /usr/share/doc/wordpress-4.0.1/README.fedora oval:org.secpod.oval:def:106846 Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. Important information in /usr/share/doc/wordpress/README.fedora oval:org.secpod.oval:def:107363 Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. Important information in /usr/share/doc/wordpress-3.9.2/README.fedora oval:org.secpod.oval:def:600548 Two XSS bugs and one potential information disclosure issue were discovered in wordpress, a weblog manager. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2011-0700 Input passed via the post title when performing a "Quick Edit" or "Bulk Edit&qu ... oval:org.secpod.oval:def:105805 Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. oval:org.secpod.oval:def:601269 The update of wordpress in DSA-2901-2 introduced a wrong versioned dependency on libjs-cropper, making the package uninstallable in the oldstable distribution . This update corrects that problem. For reference the original advisory text follows. Several vulnerabilities were discovered in Wordpress, ... oval:org.secpod.oval:def:601262 Several vulnerabilities were discovered in Wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2014-0165 A user with a contributor role, using a specially crafted request, can publish posts, which is reserved for users of the next-h ... oval:org.secpod.oval:def:105971 Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. oval:org.secpod.oval:def:601271 The update for wordpress in DSA 2901 caused a regression in the Quick Drafts functionality. This update corrects that problem. For reference, the original advisory text follows. Several vulnerabilities were discovered in Wordpress, a web blogging tool. The Common Vulnerabilities and Exposures projec ... oval:org.secpod.oval:def:601066 Several vulnerabilities were identified in Wordpress, a web blogging tool. As the CVEs were allocated from releases announcements and specific fixes are usually not identified, it has been decided to upgrade the Wordpress package to the latest upstream version instead of backporting the patches. Thi ... oval:org.secpod.oval:def:600801 Several vulnerabilities were identified in Wordpress, a web blogging tool. As the CVEs were allocated from releases announcements and specific fixes are usually not identified, it has been decided to upgrade the Wordpress package to the latest upstream version instead of backporting the patches. Thi ... oval:org.secpod.oval:def:55473 WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The ... oval:org.secpod.oval:def:116133 Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. Important information in /usr/share/doc/wordpress/README.fedora oval:org.secpod.oval:def:53375 A vulnerability was discovered in Wordpress, a web blogging tool. It allowed remote attackers with specific roles to execute arbitrary code. oval:org.secpod.oval:def:53320 Several vulnerabilities were discovered in wordpress, a web blogging tool, which could allow remote attackers to compromise a site via cross-site scripting, bypass restrictions or unsafe redirects. More information can be found in the upstream advisory at https://wordpress.org/news/2018/04/wordpress ... oval:org.secpod.oval:def:1900110 Before WordPress 4.9.5, the redirection URL for the login page was not validated or sanitized if forced to use HTTPS. oval:org.secpod.oval:def:1900057 Before WordPress 4.9.5, the version string was not escaped in the get_the_generator function, and could lead to XSS in a generator tag. oval:org.secpod.oval:def:603678 Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting and PHP injections attacks, delete files, leak potentially sensitive data, create posts of unauthorized types, or cause denial-of-service by application c ... oval:org.secpod.oval:def:53528 Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting and PHP injections attacks, delete files, leak potentially sensitive data, create posts of unauthorized types, or cause denial-of-service by application c ... oval:org.secpod.oval:def:1900765 WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image c ... oval:org.secpod.oval:def:1901859 WordPress version <4.9 contains a CWE-20 Input Validation vulnerability in thumbnail processing that can result in remote code execution. This attack appears to be exploitable via thumbnail upload by an authenticated user and may require additional plugins in order to be exploited however this ha ... oval:org.secpod.oval:def:2000387 In WordPress before 4.9.9 and 5.x before 5.0.1, contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php. |