WordPress < 3.7.9 / 3.8.x < 3.8.9 / 3.9.x < 3.9.7 / 4.1.x < 4.1.6 / 4.2.x < 4.2.3 Multiple Vulnerabilities

Binary data 9030.prm...

Debian Security Advisory DSA 3375-1 (wordpress - security update)

Several vulnerabilities have been fixed in Wordpress, the popular blogging engine. CVE-2015-5714 A cross-site scripting vulnerability when processing shortcode tags has been discovered. The issue has been fixed by not allowing unclosed HTML elements in attributes. CVE-2015-5715 A vulnerability ha...

wordpress: multiple issues

CVE-2015-5714 cross-side scripting A cross-site scripting vulnerability has been discovered when processing shortcode tags. - CVE-2015-5715 permission bypass It has been discovered that users without proper permissions could publish private posts and make them sticky...

WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting (XSS)

PoC The following payload placed in a page or post does not work in comments: TEST!!!caption width="1" caption='Click me'...

wordpress -- multiple vulnerabilities

Samuel Sidler reports: WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.3 and earlier are vulnerable to a cross-site scripting vulnerability when processing shortcode tags...

最新版Discuz修复不全导致仍可针对管理员存储XSS

简要描述： 程序员修漏洞得修完全，不认真就不对了 详细说明： 新版本中修复了在 http://wooyun.org/bugs/wooyun-2010-099979 中所提供的插入点 但是由于程序员的疏忽，修复的代码中仍有可用的 shortcode 可以造成 XSS 具体的漏洞分析都在 http://wooyun.org/bugs/wooyun-2010-099979 中都有提及，其主要原因是由于 /static/js/bbcode.js 文件中的 bbcode2html 函数对 shortcode 进行正则替换时，导致可以构造 payload，让编辑器渲染时形成 XSS。 通过 diff...

CVE-2015-5622

Cross-site scripting XSS vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.ph...

CVE-2015-5622

Cross-site scripting XSS vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.ph...

DEBIAN-CVE-2015-5622

Cross-site scripting XSS vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.ph...

CVE-2015-5622

Cross-site scripting XSS vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.ph...

CVE-2015-5622

Cross-site scripting XSS vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.ph...

CVE-2015-5622

CVE-2015-5622 concerns the robustness of WordPress shortcode HTML tag filtering. The patch tightened the parsing in wp-includes/kses.php and related shortcode handling, with fixes released around WordPress 4.2.x and culminating in WordPress 4.2.3. Debian advisories also note fixes for this CVE in...

CVE-2015-5622

Cross-site scripting XSS vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.ph...

WordPress < 3.7.9 / 3.8.9 / 3.9.7 / 4.1.6 / 4.2.3 Multiple Vulnerabilities

According to its version number, the WordPress application running on the remote web server is either version 3.7.x prior to 3.7.9, 3.8.x prior to 3.8.9, 3.9.x prior to 3.9.7, 4.1.x prior to 4.1.6, or 4.2.x prior to 4.2.3. It is, therefore, potentially affected by the following vulnerabilities : ...

WordPress <= 4.2.2 - XSS

WordPress 4.2.2 is prone to a cross site scripting vulnerability that allows an authenticated user to bypass intended access restrictions and create drafts by leveraging the Subscriber role. Also, it allows to inject web script or HTML by leveraging the Author role to place a crafted shortcode...

WordPress Download Shortcode Plugin <= 0.2.0 - Arbitrary File Disclosure

This plugin is prone to "file" arbitrary file disclosure vulnerability. Solution Update the plugin...

WordPress Download Shortcode Plugin <= 0.2.0 - Arbitrary File Disclosure

This plugin is prone to "file" arbitrary file disclosure vulnerability. Solution Update the plugin...

WordPress Freshmail Plugin <= 1.5.8 - SQL Injection

Freshmail plugin is prone to an SQL injection that exists in "id" parameter via shortcode.php. It allows to insert shortcodes without administrator's permission when page is editing. Solution Update the plugin...

WordPress Plugin Freshmail 1.5.8 - shortcode.php SQL Injection

WordPress Plugin Freshmail 1.5.8 - shortcode.php SQL Injection Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail 1 Google Dork: N/A Date: 05/05/2015 Exploit Author: Felipe Molina de la Torre @felmoltor Vendor Homepage: http://freshmail.com/ Software Link:...

WordPress Plugin Freshmail 1.5.8 - &#039;shortcode.php&#039; SQL Injection

Exploit Title: Unauthenticated SQL Injection on Wordpress Freshmail 1 Google Dork: N/A Date: 05/05/2015 Exploit Author: Felipe Molina de la Torre @felmoltor Vendor Homepage: http://freshmail.com/ Software Link: https://downloads.wordpress.org/plugin/freshmail-newsletter.latest-stable.zip Version:...