SB2017030611 - Multiple vulnerabilities in WordPress
Published: March 6, 2017
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Cross-site request forgery (CVE-ID: CVE-2017-6819)
CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform CSRF attacks.
The vulnerability is caused by incorrect validation of the request origin within "Press This" functionality (wp-admin/includes/class-wp-press-this.php). A remote attacker can create a specially crafted web page, trick the authenticated WordPress user into visiting and trigger the web application to consume excessive server resources.
Successful exploitation of this vulnerability may allow a remote attacker to perform a denial of service (DoS) attack.
2) Cross-site scripting (CVE-ID: CVE-2017-6818)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data passed via taxonomy term names in wp-admin/js/tags-box.js. A remote attacker can inject arbitrary HTML and script code and execute it in victim’s browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Cross-site scripting (CVE-ID: CVE-2017-6817)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data passed via video URL in YouTube embeds (wp-includes/embed.php). A remote attacker with ability to add videos can inject arbitrary HTML and script code and execute it in victim’s browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
4) Improper input validation (CVE-ID: CVE-2017-6816)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated administrator to delete certain files.
The vulnerability is caused by unknown error within plugin deletion functionality (wp-admin/plugins.php). A remote authenticated administrator can unintentionally delete certain files on the system.
5) Open redirect (CVE-ID: CVE-2017-6815)
CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to redirect website visitors to external websites.
The vulnerability is caused by incorrect validation of redirected URL in wp-includes/pluggable.php. A remote attacker can create a specially crafted link, redirect the victim on external website and perform a phishing attack.
6) Cross-site scripting (CVE-ID: CVE-2017-6814)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability is caused by incorrect filtration of input data passed via playlist shortcode in the wp_playlist_shortcode() function in wp-includes/media.php and via the meta information in the renderTracks() function in wp-includes/js/mediaelement/wp-playlist.js. A remote attacker can inject arbitrary HTML and script code and execute it in victim’s browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.