Main Vulnerability Database Vulnerabilities #VU4856

#VU4856 Information disclosure in WordPress - CVE-2017-5487

Published: January 17, 2017 / Updated: May 7, 2023

Vulnerability identifier: #VU4856

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2017-5487

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
WordPress

Software vendor:
WordPress.ORG

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to incorrectly implemented restrictions within REST API ("wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php") when accessing listings of post authors via HTTP request to "wp-json/wp/v2/users" URL. A remote attacker can send a specially crafted HTTP request to vulnerable URL and obtain potentially sensitive data.

Successful exploitation of the vulnerability may allow an attacker to gain access to otherwise restricted sensitive information.

Remediation

Update to version 4.7.1.

External links

https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/

#VU4856 Information disclosure in WordPress - CVE-2017-5487

Description

Remediation

External links

Please verify you're human