Multiple vulnerabilities in WordPress



Published: 2017-01-27 | Updated: 2017-02-07
Risk High
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2017-5610
CVE-2017-5611
CVE-2017-5612
CVE-2017-1001000
CWE-ID CWE-284
CWE-89
CWE-79
CWE-264
Exploitation vector Network
Public exploit Public exploit code for vulnerability #3 is available.
Vulnerability #4 is being exploited in the wild.
Vulnerable software
Subscribe
WordPress
Web applications / CMS

Vendor WordPress.ORG

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

The security rating of this bulletin was raised to "High" after WordPress disclosed vulnerability in REST API.

1) Improper access control

EUVDB-ID: #VU5510

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5610

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to otherwise restricted information.

The vulnerability resides within wp-admin/includes/class-wp-press-this.php script in Press This functionality, which does not properly restrict visibility permissions to user interface for assigning taxonomy terms. A remote authenticated attacker may be able to gain access to potentially sensitive information.

Mitigation

Update to version 4.7.2.

Vulnerable software versions

WordPress: 4.7 - 4.7.1


CPE2.3 External links

http://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) SQL injection

EUVDB-ID: #VU5509

Risk: Medium

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5611

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send specially crafted HTTP POST request to "wp-includes/class-wp-query.php" script, pass malformed WP_Query to an affected plugin or theme and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain complete control over vulnerable website.

Mitigation

Update to version 4.7.2

Vulnerable software versions

WordPress: 4.7 - 4.7.1


CPE2.3 External links

http://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cross-site scripting

EUVDB-ID: #VU5508

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C]

CVE-ID: CVE-2017-5612

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: Yes

Description

Vulnerability allows a remote authenticated attacker to perform Cross-site scripting attacks.

An input validation error exists in "wp-admin/includes/class-wp-posts-list-table.php" script in the posts list table. A remote attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update to version 4.7.2

Vulnerable software versions

WordPress: 4.7 - 4.7.1


CPE2.3 External links

http://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

4) Security bypass

EUVDB-ID: #VU5612

Risk: High

CVSSv3.1: 7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C]

CVE-ID: CVE-2017-1001000

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to inject arbitrary content.

The vulnerability exists due to web application fails to check privileges when processing requests sent via REST API in /wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php script. A remote attacker can send a specially crafted HTTP request to /wp-json/wp/v2/posts/{POST_ID} URL and post arbitrary content to your website.

Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks, spread spam content, etc. In certain cases this vulnerability can lead to remote PHP code execution leveraging functionality of third-party plugins.

Note: this vulnerability is being actively exploited in the wild.

Mitigation

Update to version 4.7.2.

Vulnerable software versions

WordPress: 4.7 - 4.7.1


CPE2.3 External links

http://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
http://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###