Multiple vulnerabilities in WordPress

1) Cross-site request forgery

EUVDB-ID: #VU5937

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-6819

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform CSRF attacks.

The vulnerability is caused by incorrect validation of the request origin within "Press This" functionality (wp-admin/includes/class-wp-press-this.php). A remote attacker can create a specially crafted web page, trick the authenticated WordPress user into visiting and trigger the web application to consume excessive server resources.

Successful exploitation of this vulnerability may allow a remote attacker to perform a denial of service (DoS) attack.

Mitigation

Update to version 4.7.3.

Vulnerable software versions

WordPress: 4.7 - 4.7.2

CPE2.3

External links

https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Cross-site scripting

EUVDB-ID: #VU5936

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-6818

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability is caused by incorrect filtration of input data passed via taxonomy term names in wp-admin/js/tags-box.js. A remote attacker can inject arbitrary HTML and script code and execute it in victim’s browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update to version 4.7.3.

Vulnerable software versions

WordPress: 4.7 - 4.7.2

CPE2.3

External links

https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cross-site scripting

EUVDB-ID: #VU5935

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-6817

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability is caused by incorrect filtration of input data passed via video URL in YouTube embeds (wp-includes/embed.php). A remote attacker with ability to add videos can inject arbitrary HTML and script code and execute it in victim’s browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update to version 4.7.3.

Vulnerable software versions

WordPress: 4.7 - 4.7.2

CPE2.3

External links

https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper input validation

EUVDB-ID: #VU5934

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-6816

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated administrator to delete certain files.

The vulnerability is caused by unknown error within plugin deletion functionality (wp-admin/plugins.php). A remote authenticated administrator can unintentionally delete certain files on the system.

Mitigation

Update to version 4.7.3.

Vulnerable software versions

WordPress: 4.7 - 4.7.2

CPE2.3

External links

https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Open redirect

EUVDB-ID: #VU5933

Risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-6815

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Exploit availability: No

Description

The vulnerability allows a remote attacker to redirect website visitors to external websites.

The vulnerability is caused by incorrect validation of redirected URL in wp-includes/pluggable.php. A remote attacker can create a specially crafted link, redirect the victim on external website and perform a phishing attack.

Mitigation

Update to version 4.7.3.

Vulnerable software versions

WordPress: 4.7 - 4.7.2

CPE2.3

External links

https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Cross-site scripting

EUVDB-ID: #VU5932

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-6814

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability is caused by incorrect filtration of input data passed via playlist shortcode in the wp_playlist_shortcode() function in wp-includes/media.php and via the meta information in the renderTracks() function in wp-includes/js/mediaelement/wp-playlist.js. A remote attacker can inject arbitrary HTML and script code and execute it in victim’s browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update to version 4.7.3.

Vulnerable software versions

WordPress: 4.7 - 4.7.2

CPE2.3

External links

https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Risk	Low
Patch available	YES
Number of vulnerabilities	6
CVE-ID	CVE-2017-6819 CVE-2017-6818 CVE-2017-6817 CVE-2017-6816 CVE-2017-6815 CVE-2017-6814
CWE-ID	CWE-352 CWE-79 CWE-20 CWE-601
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	WordPress Web applications / CMS
Vendor	WordPress.ORG