WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php.

Several vulnerabilities were discovered in wordpress, a web blogging tool, which could allow remote attackers to compromise a site via cross-site scripting, bypass restrictions, obtain sensitive revision-history information, or mount a denial of service.

Several vulnerabilities were discovered in wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following issues.

CVE-2016-5387 WordPress allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors.

CVE-2016-5832 The customizer in WordPress allows remote attackers to bypass intended redirection restrictions via unspecified vectors.

CVE-2016-5834 Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post- template.php in WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name.

CVE-2016-5835 WordPress allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php.

CVE-2016-5838 WordPress allows remote attackers to bypass intended password- change restrictions by leveraging knowledge of a cookie.

CVE-2016-5839 WordPress allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors.

For Debian 7 'Wheezy', these problems have been fixed in version 3.6.1+dfsg-1~deb7u11.

We recommend that you upgrade your wordpress packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of WordPress prior to 4.5.3 are affected by multiple vulnerabilities :

 - A flaw exists in Customizer, which may allow an attacker to perform a "redirect bypass".
 - Multiple cross-site scripting (XSS) attacks exist because the program does not validate input when handling attachment names before returing it to users. This allows a remote attacker to craft a request that can execute arbitrary script in a user's browser session withing the trust relationship between their browser and the server.
 - A flaw in the program may allow an attacker to gain access to potentially sensitive information in the revision history. No further details have been provided by the vendor.
 - A flaw exists in oEmbed, which may allow a remote attacker to cause a denial of service. No further details have been provided by the vendor.
 - The program contains a flaw which may allow an unauthorized attacker to remove categories from posts. No further details have been provided by the vendor.
 - A flaw is triggered when handling stolen cookies. This may allow a remote attacker to make changes to passwords. No further details have been provided by the vendor.
 - Multiple flaws exist related to 'sanitize_file_name()', which may allow an attacker to have an unspecified impact. No further details have been provided by the vendor.

Adam Silverstein reports :

WordPress 4.5.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.5.2 and earlier are affected by several security issues: redirect bypass in the customizer, reported by Yassine Aboukir; two different XSS problems via attachment names, reported by Jouko Pynnonenand Divyesh Prajapati; revision history information disclosure, reported independently by John Blackbourn from the WordPress security team and by Dan Moen from the Wordfence Research Team; oEmbed denial of service reported by Jennifer Dodd from Automattic; unauthorized category removal from a post, reported by David Herrera from Alley Interactive; password change via stolen cookie, reported by Michael Adams from the WordPress security team;
and some less secure sanitize_file_name edge cases reported by Peter Westwood of the WordPress security team.

According to its self-reported version number, the WordPress application running on the remote web server is prior to 4.5.3.
It is, therefore, affected by the following vulnerabilities :

  - An unspecified flaw exists in the Customizer component     that allows an unauthenticated, remote attacker to     perform a redirect bypass.

  - Multiple cross-site scripting vulnerabilities exist due     to improper validation of user-supplied input when     handling attachment names. An unauthenticated, remote     attacker can exploit these issues, via a specially     crafted request, to execute arbitrary script code in a     user's browser session.

  - An information disclosure vulnerability exists that     allows an unauthenticated, remote attacker to disclose     revision history.

  - An unspecified flaw exists in oEmbed that allows an     unauthenticated, remote attacker to cause a denial of     service condition.

  - An unspecified flaw exists that allows an     unauthenticated, remote attacker to remove categories     from posts.

  - An unspecified flaw exists that is triggered when     handling stolen cookies. An unauthenticated, remote     attacker can exploit this to change user passwords.

  - Multiple unspecified flaws exist in the     sanitize_file_name() function that allow an     unauthenticated, remote attacker to have an unspecified     impact.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
92706	Debian DSA-3639-1 : wordpress - security update	Nessus	Debian Local Security Checks	high
92632	Debian DLA-568-1 : wordpress security update (httpoxy)	Nessus	Debian Local Security Checks	high
9388	WordPress < 4.5.3 Multiple Vulnerabilities	Nessus Network Monitor	CGI	medium
91840	FreeBSD : wordpress -- multiple vulnerabilities (bfcc23b6-3b27-11e6-8e82-002590263bf5)	Nessus	FreeBSD Local Security Checks	high
91810	WordPress < 4.5.3 Multiple Vulnerabilities	Nessus	CGI abuses	high

Detections

Analytics

CVE-2016-5835

high

Tenable Plugins

high

high

medium

high

high