Main Vulnerability Database Vulnerabilities #VU6593

#VU6593 Cross-site request forgery in WordPress - CVE-2017-9066

Published: May 17, 2017 / Updated: October 10, 2018

Vulnerability identifier: #VU6593

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-9066

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
WordPress

Software vendor:
WordPress.ORG

Description

The disclosed vulnerability allows a remote attacker to redirect users to arbitrary website.

The vulnerability exists due to insufficient validation of user-supplied data before redirecting visitors in the HTTP class. A remote attacker can exploit this vulnerability to interact with the web server using SSRF vector.

Successful exploitation of the vulnerability may allow an attacker to send HTTP requests to 0.0.0.0 on port 80, 443 and 8080.

Example:

http://[host]/wp-admin/press-this.php?u=http://[HOST|IP]

Remediation

Update to version 4.7.5.

External links

https://wordpress.org/news/2017/05/wordpress-4-7-5/

#VU6593 Cross-site request forgery in WordPress - CVE-2017-9066

Description

Remediation

External links

Please verify you're human