Multiple vulnerabilities in WordPress

Published: 2017-01-27 | Updated: 2017-02-07
Severity High
Patch available YES
Number of vulnerabilities 4
CVE ID CVE-2017-5610
CVE-2017-5611
CVE-2017-5612
CVE-2017-1001000
CWE ID CWE-284
CWE-89
CWE-79
CWE-264
Exploitation vector Network
Public exploit Public exploit code for vulnerability #3 is available.
Vulnerability #4 is being exploited in the wild.
Vulnerable software WordPress Subscribe
Vendor WordPress.ORG

Security Advisory

The security rating of this bulletin was raised to "High" after WordPress disclosed vulnerability in REST API.

1) Improper access control

Severity: Low

CVSSv3: 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-5610

CWE-ID: CWE-284 - Improper Access Control

Description

The vulnerability allows a remote attacker to gain access to otherwise restricted information.

The vulnerability resides within wp-admin/includes/class-wp-press-this.php script in Press This functionality, which does not properly restrict visibility permissions to user interface for assigning taxonomy terms. A remote authenticated attacker may be able to gain access to potentially sensitive information.

Mitigation

Update to version 4.7.2.

Vulnerable software versions

WordPress: 4.7, 4.7.1

CPE External links

https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) SQL injection

Severity: Medium

CVSSv3: 8.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2017-5611

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send specially crafted HTTP POST request to "wp-includes/class-wp-query.php" script, pass malformed WP_Query to an affected plugin or theme and execute arbitrary SQL commands in web application database.

Successful exploitation of the vulnerability may allow an attacker to gain complete control over vulnerable website.

Mitigation

Update to version 4.7.2

Vulnerable software versions

WordPress: 4.7, 4.7.1

CPE External links

https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cross-site scripting

Severity: Low

CVSSv3: 5.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C] [PCI]

CVE-ID: CVE-2017-5612

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

Vulnerability allows a remote authenticated attacker to perform Cross-site scripting attacks.

An input validation error exists in "wp-admin/includes/class-wp-posts-list-table.php" script in the posts list table. A remote attacker can trick the victim to follow a specially specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update to version 4.7.2

Vulnerable software versions

WordPress: 4.7, 4.7.1

CPE External links

https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

4) Security bypass

Severity: High

CVSSv3: 7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C] [PCI]

CVE-ID: CVE-2017-1001000

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Description

The vulnerability allows a remote attacker to inject arbitrary content.

The vulnerability exists due to web application fails to check privileges when processing requests sent via REST API in /wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php script. A remote attacker can send a specially crafted HTTP request to /wp-json/wp/v2/posts/{POST_ID} URL and post arbitrary content to your website.

Successful exploitation of the vulnerability may allow an attacker to perform phishing and drive-by-download attacks, spread spam content, etc. In certain cases this vulnerability can lead to remote PHP code execution leveraging functionality of third-party plugins.

Note: this vulnerability is being actively exploited in the wild.

Mitigation

Update to version 4.7.2.

Vulnerable software versions

WordPress: 4.7, 4.7.1

CPE External links

https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



ImmuniWeb® AI Platform for Application Security Testing