CVE-2013-5917 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	0.99%	–	–
2022-03-13	–	–	0.99%	–	–
2022-04-03	–	–	0.99%	–	–
2022-05-29	–	–	0.99%	–	–
2022-08-14	–	–	0.99%	–	–
2022-11-13	–	–	0.99%	–	–
2022-11-20	–	–	0.99%	–	–
2022-11-27	–	–	0.99%	–	–
2023-03-05	–	–	0.99%	–	–
2023-03-12	–	–	–	0.14%	–
2023-05-07	–	–	–	0.13%	–
2023-08-06	–	–	–	0.16%	–
2023-09-17	–	–	–	0.16%	–
2024-02-11	–	–	–	0.11%	–
2024-03-17	–	–	–	0.12%	–
2024-03-24	–	–	–	0.12%	–
2024-06-02	–	–	–	0.15%	–
2024-08-25	–	–	–	0.15%	–
2024-09-22	–	–	–	59.25%	–
2024-10-20	–	–	–	65.12%	–
2024-12-22	–	–	–	36.25%	–
2025-02-23	–	–	–	41.31%	–
2025-01-19	–	–	–	36.25%	–
2025-02-23	–	–	–	41.31%	–
2025-03-18	–	–	–	–	1.21%
2025-03-30	–	–	–	–	1.64%
2025-04-15	–	–	–	–	1.64%
2025-05-09	–	–	–	–	1.4%
2025-05-09	–	–	–	–	1.4,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	18%
2022-03-13	19%
2022-04-03	34%
2022-05-29	35%
2022-08-14	36%
2022-11-13	37%
2022-11-20	36%
2022-11-27	37%
2023-03-05	38%
2023-03-12	47%
2023-05-07	46%
2023-08-06	51%
2023-09-17	52%
2024-02-11	43%
2024-03-17	45%
2024-03-24	46%
2024-06-02	51%
2024-08-25	52%
2024-09-22	98%
2024-10-20	98%
2024-12-22	97%
2025-02-23	97%
2025-01-19	97%
2025-02-23	97%
2025-03-18	78%
2025-03-30	8%
2025-04-15	81%
2025-05-09	79%
2025-05-09	79%

[ NOSpamPTI Wordpress plugin Blind SQL Injection ] [ Vendor product description ] NOSpamPTI eliminates the spam in your comment box so strong and free, developed from the idea of Nando Vieira <a href="http://bit.ly/d38gB8" rel="nofollow">http://bit.ly/d38gB8</a>, but some themes do not support changes to the functions.php to this we alter this function and available as a plugin. Make good use of this plugin and forget all the Spam. [ Bug Description ] NOSpamPTI contains a flaw that may allow an attacker to carry out a Blind SQL injection attack. The issue is due to the wp-comments-post.php script not properly sanitizing the comment_post_ID in POST data. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. [ History ] Advisory sent to vendor on 09/09/2013 Vendor reply 09/20/2013. According the vendor, the plugin was deprecated. [ Impact ] HIGH [ Afected Version ] 2.1 [ CVE Reference] CVE-2013-5917 [ POC ] Payload: POST /wordpress/wp-comments-post.php author=1&challenge=1&challenge_hash=e4da3b7fbbce2345d7772b0674a318d5&comment=1&comment_parent=0&comment_post_ID=1 AND SLEEP(5)&email=sample@email.tst&submit=Post Comment&url=1 [ Vulnerable code ] $post_id = $_POST['comment_post_ID']; load_plugin_textdomain('nospampti', WP_PLUGIN_URL.'/nospampti/languages/', 'nospampti/languages/'); if ($hash != $challenge) { $wpdb->query("DELETE FROM {$wpdb->comments} WHERE comment_ID = {$comment_id}"); $count = $wpdb->get_var("select count(*) from $wpdb->comments where comment_post_id = {$post_id} and comment_approved = '1'"); [ Reference ] [1] No SpamPTI SVN repository - http://plugins.svn.wordpress.org/nospampti/trunk/nospampti.php [2] Owasp - https://owasp.org/index.php/SQL_Injection [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ -------------------------------------------- iBliss Segurança e Inteligência - Sponsor: Alexandro Silva - Alexos