SB2017030611 - Multiple vulnerabilities in WordPress

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2017-6819)

The disclosed vulnerability allows a remote attacker to perform CSRF attacks.

The vulnerability is caused by incorrect validation of the request origin within "Press This" functionality (wp-admin/includes/class-wp-press-this.php). A remote attacker can create a specially crafted web page, trick the authenticated WordPress user into visiting and trigger the web application to consume excessive server resources.

Successful exploitation of this vulnerability may allow a remote attacker to perform a denial of service (DoS) attack.

2) Cross-site scripting (CVE-ID: CVE-2017-6818)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability is caused by incorrect filtration of input data passed via taxonomy term names in wp-admin/js/tags-box.js. A remote attacker can inject arbitrary HTML and script code and execute it in victim’s browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Cross-site scripting (CVE-ID: CVE-2017-6817)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability is caused by incorrect filtration of input data passed via video URL in YouTube embeds (wp-includes/embed.php). A remote attacker with ability to add videos can inject arbitrary HTML and script code and execute it in victim’s browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

4) Improper input validation (CVE-ID: CVE-2017-6816)

The vulnerability allows a remote authenticated administrator to delete certain files.

The vulnerability is caused by unknown error within plugin deletion functionality (wp-admin/plugins.php). A remote authenticated administrator can unintentionally delete certain files on the system.

5) Open redirect (CVE-ID: CVE-2017-6815)

The vulnerability allows a remote attacker to redirect website visitors to external websites.

The vulnerability is caused by incorrect validation of redirected URL in wp-includes/pluggable.php. A remote attacker can create a specially crafted link, redirect the victim on external website and perform a phishing attack.

6) Cross-site scripting (CVE-ID: CVE-2017-6814)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability is caused by incorrect filtration of input data passed via playlist shortcode in the wp_playlist_shortcode() function in wp-includes/media.php and via the meta information in the renderTracks() function in wp-includes/js/mediaelement/wp-playlist.js. A remote attacker can inject arbitrary HTML and script code and execute it in victim’s browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

• https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/