Multiple vulnerabilities in WordPress
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2017-5493 CVE-2017-5492 CVE-2017-5491 CVE-2017-5490 CVE-2017-5489 CVE-2017-5488 CVE-2017-5487 |
| CWE-ID | CWE-330 CWE-352 CWE-264 CWE-79 CWE-284 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #7 is available. |
| Vulnerable software Subscribe |
WordPress Web applications / CMS |
| Vendor | WordPress.ORG |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Insufficient randomization
EUVDB-ID: #VU4862
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5493
CWE-ID:
CWE-330 - Use of Insufficiently Random Values
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restriction.
The vulnerability exists due to an error when choosing random numbers for keys within wp-includes/ms-functions.php script in the Multisite WordPress API. A remote attacker can create a specially crafted site signup or user signup request and bypass intended access restriction.
Successful exploitation of the vulnerability may allow an attacker to gain access to otherwise restricted functionality.
MitigationUpdate to version 4.7.1.
Vulnerable software versionsWordPress: 4.7
External linkshttp://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Cross-site request forgery (CSRF)
EUVDB-ID: #VU4861
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5492
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform CSRF attacks.
The vulnerability exists due to improper validation of the HTTP request origin within "wp-admin/includes/class-wp-screen.php" and "wp-admin/widgets.php" scripts. A remote attacker can create a specially specially crafted web page, trick the authenticated victim into visiting it, perform cross-site request forgery attack and hijack the authentication of unspecified victims for requests that perform a widgets-access action.
Successful exploitation of the vulnerability may allow an attacker to bypass authentication.
Mitigation
Update to version 4.7.1
Vulnerable software versionsWordPress: 4.7
External linkshttp://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Spoofing attack
EUVDB-ID: #VU4860
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5491
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restriction.
The vulnerability exists due to an error within wp-mail.php script. A remote attacker can bypass imposed posting restrictions using a spoofed mail server with name mail.example.com.
Successful exploitation of the vulnerability may allow an attacker to perform unauthorized postings.
MitigationUpdate to version 4.7.1.
Vulnerable software versionsWordPress: 4.7
External linkshttp://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Cross-site scripting
EUVDB-ID: #VU4859
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5490
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionVulnerability allows a remote authenticated attacker to perform XSS attacks.
The vulnerability is caused by an input validation error in the theme-name fallback functionality in "wp-includes/class-wp-theme.php" script in WordPress before 4.7.1. A remote authenticated attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Mitigation
Update to version 4.7.1
Vulnerable software versionsWordPress: 4.7
External linkshttp://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Cross-site request forgery
EUVDB-ID: #VU4858
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5489
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform CSRF attacks.
The vulnerability exists due to improper validation of the HTTP request origin. A remote attacker can create a specially specially crafted web page, trick the authenticated victim into visiting it, perform cross-site request forgery attack and hijack authentication of unspecified victims.
Successful exploitation of the vulnerability may allow an attacker to hijack authentication.
Mitigation
Update to version 4.7.1
Vulnerable software versionsWordPress: 4.7
External linkshttp://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Cross-site scripting (XSS)
EUVDB-ID: #VU4857
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5488
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionVulnerability allows a remote attacker to perform Cross-site scripting attacks.
An input validation error exists in "wp-admin/update-core.php" script in WordPress before 4.7.1 when processing the "name" and "version" headers of a plugin. A remote attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Update to version 4.7.1
Vulnerable software versionsWordPress: 4.7
External linkshttp://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Information disclosure
EUVDB-ID: #VU4856
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-5487
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrectly implemented restrictions within REST API ("wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php") when accessing listings of post authors via HTTP request to "wp-json/wp/v2/users" URL. A remote attacker can send a specially crafted HTTP request to vulnerable URL and obtain potentially sensitive data.
Successful exploitation of the vulnerability may allow an attacker to gain access to otherwise restricted sensitive information.
MitigationUpdate to version 4.7.1.
Vulnerable software versionsWordPress: 4.7
External linkshttp://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
