Main Vulnerability Database Vulnerabilities #VU4856

Information disclosure in WordPress - CVE-2017-5487

Published: January 17, 2017 / Updated: May 7, 2023

Vulnerability identifier: #VU4856

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2017-5487

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: WordPress.ORG

Affected software:
WordPress

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to incorrectly implemented restrictions within REST API ("wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php") when accessing listings of post authors via HTTP request to "wp-json/wp/v2/users" URL. A remote attacker can send a specially crafted HTTP request to vulnerable URL and obtain potentially sensitive data.

Successful exploitation of the vulnerability may allow an attacker to gain access to otherwise restricted sensitive information.

How to mitigate CVE-2017-5487

Update to version 4.7.1.

Sources

https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/

Information disclosure in WordPress - CVE-2017-5487

Detailed vulnerability description

How to mitigate CVE-2017-5487

Sources

Please verify you're human