WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.

According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities :

 - Weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values.

 - When domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the WordPress application running on the remote web server is prior to 4.8.3.
It is, therefore, affected by a SQL Injection vulnerability and other vulnerabilities:

  - WordPress through 4.8.2 uses a weak MD5-based     password hashing algorithm, which makes it easier for     attackers to determine cleartext values by leveraging     access to the hash values.

  - WordPress through 4.8.2, when domain-based     flashmediaelement.swf sandboxing is not used, allows     remote attackers to conduct cross-domain Flash     injection (XSF) attacks by leveraging code contained     within the wp-includes/js/mediaelement/flashmediaelement.swf     file.

ID	Name	Product	Family	Severity
98317	WordPress 3.7.x < 3.7.23 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98316	WordPress 3.8.x < 3.8.23 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98315	WordPress 3.9.x < 3.9.21 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98314	WordPress 4.0.x < 4.0.20 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98313	WordPress 4.1.x < 4.1.20 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98312	WordPress 4.2.x < 4.2.17 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98311	WordPress 4.3.x < 4.3.13 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98310	WordPress 4.4.x < 4.4.12 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98309	WordPress 4.5.x < 4.5.11 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98308	WordPress 4.6.x < 4.6.8 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98307	WordPress 4.7.x < 4.7.7 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98306	WordPress 4.8.x < 4.8.3 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
104356	WordPress < 4.8.3 Multiple Vulnerabilities	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2012-6707

high

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical