Notes
Notes - notes.io |
| Fixed in: 3.3.2
| References:
| - https://wpvulndb.com/vulnerabilities/5999
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2401
| - http://seclists.org/fulldisclosure/2012/Nov/51
|
| [!] Title: WordPress 1.5.1 - 3.5 XMLRPC Pingback API Internal/External Port Scanning
| Fixed in: 3.5.1
| References:
| - https://wpvulndb.com/vulnerabilities/5988
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0235
| - https://github.com/FireFart/WordpressPingbackPortScanner
|
| [!] Title: WordPress 1.5.1 - 3.5 XMLRPC pingback additional issues
| References:
| - https://wpvulndb.com/vulnerabilities/5989
| - http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html
|
| [!] Title: WordPress <= 3.3.2 Cross-Site Scripting (XSS) in wp-includes/default-filters.php
| Fixed in: 3.3.3
| References:
| - https://wpvulndb.com/vulnerabilities/5994
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6633
|
| [!] Title: WordPress <= 3.3.2 wp-admin/media-upload.php sensitive information disclosure or bypass
| Fixed in: 3.3.3
| References:
| - https://wpvulndb.com/vulnerabilities/5995
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6634
|
| [!] Title: WordPress <= 3.3.2 wp-admin/includes/class-wp-posts-list-table.php sensitive information disclosure by visiting a draft
| Fixed in: 3.3.3
| References:
| - https://wpvulndb.com/vulnerabilities/5996
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6635
|
| [!] Title: WordPress 3.0 - 3.6 Crafted String URL Redirect Restriction Bypass
| Fixed in: 3.6.1
| References:
| - https://wpvulndb.com/vulnerabilities/5970
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4339
| - https://www.exploit-db.com/exploits/28958/
| - https://packetstormsecurity.com/files/123589/
| - http://core.trac.wordpress.org/changeset/25323
| - http://www.gossamer-threads.com/lists/fulldisc/full-disclosure/91609
|
| [!] Title: WordPress 3.1 PCRE Library Remote DoS
| Fixed in: 3.1.1
| References:
| - https://wpvulndb.com/vulnerabilities/6003
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4957
|
| [!] Title: WordPress 2.0.3 - 3.9.1 (except 3.7.4 / 3.8.4) CSRF Token Brute Forcing
| Fixed in: 3.9.2
| References:
| - https://wpvulndb.com/vulnerabilities/7528
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5204
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5205
| - https://core.trac.wordpress.org/changeset/29384
| - https://core.trac.wordpress.org/changeset/29408
|
| [!] Title: WordPress 3.0 - 3.9.1 Authenticated Cross-Site Scripting (XSS) in Multisite
| Fixed in: 3.9.2
| References:
| - https://wpvulndb.com/vulnerabilities/7529
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5240
| - https://core.trac.wordpress.org/changeset/29398
|
| [!] Title: WordPress 3.0-3.9.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
| Fixed in: 4.0
| References:
| - https://wpvulndb.com/vulnerabilities/7680
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9031
| - http://klikki.fi/adv/wordpress.html
| - https://wordpress.org/news/2014/11/wordpress-4-0-1/
| - http://klikki.fi/adv/wordpress_update.html
|
| [!] Title: WordPress <= 4.0 - Long Password Denial of Service (DoS)
| Fixed in: 4.0.1
| References:
| - https://wpvulndb.com/vulnerabilities/7681
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9034
| - https://www.exploit-db.com/exploits/35413/
| - https://www.exploit-db.com/exploits/35414/
| - http://www.behindthefirewalls.com/2014/11/wordpress-denial-of-service-responsible-disclosure.html
| - https://wordpress.org/news/2014/11/wordpress-4-0-1/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_long_password_dos
|
| [!] Title: WordPress <= 4.0 - Server Side Request Forgery (SSRF)
| Fixed in: 4.0.1
| References:
| - https://wpvulndb.com/vulnerabilities/7696
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9038
| - https://www.securityfocus.com/bid/71234/
| - https://core.trac.wordpress.org/changeset/30444
|
| [!] Title: WordPress <= 4.2.2 - Authenticated Stored Cross-Site Scripting (XSS)
| Fixed in: 4.2.3
| References:
| - https://wpvulndb.com/vulnerabilities/8111
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5622
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5623
| - https://wordpress.org/news/2015/07/wordpress-4-2-3/
| - https://twitter.com/klikkioy/status/624264122570526720
| - https://klikki.fi/adv/wordpress3.html
|
| [!] Title: WordPress <= 4.4.2 - SSRF Bypass using Octal & Hexedecimal IP addresses
| Fixed in: 4.5
| References:
| - https://wpvulndb.com/vulnerabilities/8473
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4029
| - https://codex.wordpress.org/Version_4.5
| - https://github.com/WordPress/WordPress/commit/af9f0520875eda686fd13a427fd3914d7aded049
|
| [!] Title: WordPress <= 4.4.2 - Reflected XSS in Network Settings
| Fixed in: 4.5
| References:
| - https://wpvulndb.com/vulnerabilities/8474
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6634
| - https://codex.wordpress.org/Version_4.5
| - https://github.com/WordPress/WordPress/commit/cb2b3ed3c7d68f6505bfb5c90257e6aaa3e5fcb9
|
| [!] Title: WordPress <= 4.4.2 - Script Compression Option CSRF
| Fixed in: 4.5
| References:
| - https://wpvulndb.com/vulnerabilities/8475
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6635
| - https://codex.wordpress.org/Version_4.5
|
| [!] Title: WordPress 2.6.0-4.5.2 - Unauthorized Category Removal from Post
| Fixed in: 4.5.3
| References:
| - https://wpvulndb.com/vulnerabilities/8520
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5837
| - https://wordpress.org/news/2016/06/wordpress-4-5-3/
| - https://github.com/WordPress/WordPress/commit/6d05c7521baa980c4efec411feca5e7fab6f307c
|
| [!] Title: WordPress 2.5-4.6 - Authenticated Stored Cross-Site Scripting via Image Filename
| Fixed in: 4.6.1
| References:
| - https://wpvulndb.com/vulnerabilities/8615
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7168
| - https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0
| - https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html
| - http://seclists.org/fulldisclosure/2016/Sep/6
|
| [!] Title: WordPress 2.8-4.6 - Path Traversal in Upgrade Package Uploader
| Fixed in: 4.6.1
| References:
| - https://wpvulndb.com/vulnerabilities/8616
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7169
| - https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/54720a14d85bc1197ded7cb09bd3ea790caa0b6e
|
| [!] Title: WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php
| Fixed in: 4.7.1
| References:
| - https://wpvulndb.com/vulnerabilities/8716
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5488
| - https://github.com/WordPress/WordPress/blob/c9ea1de1441bb3bda133bf72d513ca9de66566c2/wp-admin/update-core.php
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
|
| [!] Title: WordPress <= 4.7 - Post via Email Checks mail.example.com by Default
| Fixed in: 4.7.1
| References:
| - https://wpvulndb.com/vulnerabilities/8719
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5491
| - https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
|
| [!] Title: WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF)
| Fixed in: 4.7.1
| References:
| - https://wpvulndb.com/vulnerabilities/8720
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5492
| - https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
|
| [!] Title: WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG)
| Fixed in: 4.7.1
| References:
| - https://wpvulndb.com/vulnerabilities/8721
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5493
| - https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
| - https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
|
| [!] Title: WordPress 2.8.1-4.7.2 - Control Characters in Redirect URL Validation
| Fixed in: 4.7.3
| References:
| - https://wpvulndb.com/vulnerabilities/8766
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6815
| - https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
|
| [!] Title: WordPress 2.3-4.8.3 - Host Header Injection in Password Reset
| References:
| - https://wpvulndb.com/vulnerabilities/8807
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8295
| - https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
| - http://blog.dewhurstsecurity.com/2017/05/04/exploitbox-wordpress-security-advisories.html
| - https://core.trac.wordpress.org/ticket/25239
|
| [!] Title: WordPress 2.7.0-4.7.4 - Insufficient Redirect Validation
| Fixed in: 4.7.5
| References:
| - https://wpvulndb.com/vulnerabilities/8815
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9066
| - https://github.com/WordPress/WordPress/commit/76d77e927bb4d0f87c7262a50e28d84e01fd2b11
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
|
| [!] Title: WordPress 2.5.0-4.7.4 - Post Meta Data Values Improper Handling in XML-RPC
| Fixed in: 4.7.5
| References:
| - https://wpvulndb.com/vulnerabilities/8816
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9062
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/3d95e3ae816f4d7c638f40d3e936a4be19724381
|
| [!] Title: WordPress 2.5.0-4.7.4 - Filesystem Credentials Dialog CSRF
| Fixed in: 4.7.5
| References:
| - https://wpvulndb.com/vulnerabilities/8818
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9064
| - https://wordpress.org/news/2017/05/wordpress-4-7-5/
| - https://github.com/WordPress/WordPress/commit/38347d7c580be4cdd8476e4bbc653d5c79ed9b67
| - https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_connection_information.html
|
| [!] Title: WordPress 2.3.0-4.8.1 - $wpdb->prepare() potential SQL Injection
| Fixed in: 4.8.2
| References:
| - https://wpvulndb.com/vulnerabilities/8905
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14723
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
| - https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec
|
| [!] Title: WordPress 2.3.0-4.7.4 - Authenticated SQL injection
| Fixed in: 4.7.5
| References:
| - https://wpvulndb.com/vulnerabilities/8906
| - https://medium.com/websec/wordpress-sqli-bbb2afcc8e94
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48
| - https://wpvulndb.com/vulnerabilities/8905
|
| [!] Title: WordPress 2.9.2-4.8.1 - Open Redirect
| Fixed in: 4.8.2
| References:
| - https://wpvulndb.com/vulnerabilities/8910
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14725
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41398
|
| [!] Title: WordPress 3.0-4.8.1 - Path Traversal in Unzipping
| Fixed in: 4.8.2
| References:
| - https://wpvulndb.com/vulnerabilities/8911
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14719
| - https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/
| - https://core.trac.wordpress.org/changeset/41457
|
| [!] Title: WordPress <= 4.8.2 - $wpdb->prepare() Weakness
| Fixed in: 4.8.3
| References:
| - https://wpvulndb.com/vulnerabilities/8941
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16510
| - https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
| - https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
| - https://twitter.com/ircmaxell/status/923662170092638208
| - https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
|
| [!] Title: WordPress 2.8.6-4.9 - Authenticated JavaScript File Upload
| Fixed in: 4.9.1
| References:
| - https://wpvulndb.com/vulnerabilities/8966
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17092
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/67d03a98c2cae5f41843c897f206adde299b0509
|
| [!] Title: WordPress 1.5.0-4.9 - RSS and Atom Feed Escaping
| Fixed in: 4.9.1
| References:
| - https://wpvulndb.com/vulnerabilities/8967
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17094
| - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/f1de7e42df29395c3314bf85bff3d1f4f90541de
|
| [!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
| References:
| - https://wpvulndb.com/vulnerabilities/9021
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389
| - https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
| - https://github.com/quitten/doser.py
| - https://thehackernews.com/2018/02/wordpress-dos-exploit.html
|
| [!] Title: WordPress <= 4.9.6 - Authenticated Arbitrary File Deletion
| References:
| - https://wpvulndb.com/vulnerabilities/9100
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12895
| - https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
| - http://blog.vulnspy.com/2018/06/27/Wordpress-4-9-6-Arbitrary-File-Delection-Vulnerbility-Exploit/
| - https://github.com/WordPress/WordPress/commit/c9dce0606b0d7e6f494d4abe7b193ac046a322cd
| - https://wordpress.org/news/2018/07/wordpress-4-9-7-security-and-maintenance-release/
| - https://www.wordfence.com/blog/2018/07/details-of-an-additional-file-deletion-vulnerability-patched-in-wordpress-4-9-7/
|
| [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
| Fixed in: 5.2.3
| References:
| - https://wpvulndb.com/vulnerabilities/9867
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16222
| - https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
| - https://github.com/WordPress/WordPress/commit/30ac67579559fe42251b5a9f887211bf61a8ed68
============================================
|
|
Notes.io is a web-based application for taking notes. You can take your notes and share with others people. If you like taking long notes, notes.io is designed for you. To date, over 8,000,000,000 notes created and continuing...
With notes.io;
- * You can take a note from anywhere and any device with internet connection.
- * You can share the notes in social platforms (YouTube, Facebook, Twitter, instagram etc.).
- * You can quickly share your contents without website, blog and e-mail.
- * You don't need to create any Account to share a note. As you wish you can use quick, easy and best shortened notes with sms, websites, e-mail, or messaging services (WhatsApp, iMessage, Telegram, Signal).
- * Notes.io has fabulous infrastructure design for a short link and allows you to share the note as an easy and understandable link.
Fast: Notes.io is built for speed and performance. You can take a notes quickly and browse your archive.
Easy: Notes.io doesn’t require installation. Just write and share note!
Short: Notes.io’s url just 8 character. You’ll get shorten link of your note when you want to share. (Ex: notes.io/q )
Free: Notes.io works for 12 years and has been free since the day it was started.
You immediately create your first note and start sharing with the ones you wish. If you want to contact us, you can use the following communication channels;
Email: [email protected]
Twitter: http://twitter.com/notesio
Instagram: http://instagram.com/notes.io
Facebook: http://facebook.com/notesio
Regards;
Notes.io Team
