Main Vulnerability Database SB2017011113

SB2017011113 - Insufficient randomization in WordPress WordPress

Published: January 11, 2017

Security Bulletin ID SB2017011113

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Insufficient randomization (CVE-ID: CVE-2017-5493)

CWE-ID: CWE-330 - Use of Insufficiently Random Values

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass certain security restriction.

The vulnerability exists due to an error when choosing random numbers for keys within wp-includes/ms-functions.php script in the Multisite WordPress API. A remote attacker can create a specially crafted site signup or user signup request and bypass intended access restriction.

Successful exploitation of the vulnerability may allow an attacker to gain access to otherwise restricted functionality.

Remediation

Install update from vendor's website.

References

https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/