WordPress < 4.7.5 Multiple Vulnerabilities

high Nessus Plugin ID 100298

Synopsis

A PHP application running on the remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the WordPress application running on the remote web server is prior to 4.7.5.
It is, therefore, affected by multiple vulnerabilities :

- A DOM-based cross-site scripting (XSS) vulnerability exists in the uploadSizeError() function within file wp-includes/js/plupload/handlers.js when handling overly large file uploads due to improper validation of user-supplied input to file names before returning it in error messages. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2017-9061)

- A flaw exists in the set_custom_fields() function within file wp-includes/class-wp-xmlrpc-server.php when accessing post meta data due to improper validation of user-supplied input. An authenticated, remote attacker can exploit this to gain unauthorized access to meta data. (CVE-2017-9062)

- A stored cross-site scripting (XSS) vulnerability exists within file wp-admin/customize.php script due to improper validation of user-supplied input to the blog name before returning it to users. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2017-9063)

- A cross-site request forgery (XSRF) vulnerability exists in the request_filesystem_credentials() function within file /wp-admin/includes/file.php due to a failure to require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions.
An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to disclose the user credentials. (CVE-2017-9064)

- A flaw exists in the XML-RPC API, specifically within file wp-includes/class-wp-xmlrpc-server.php in the
_insert_post() function, when handling post meta data due to a lack of capability checks. An unauthenticated, remote attacker can exploit this to manipulate posts without having the required capabilities.
(CVE-2017-9065)

- A flaw exists in the WP_Http::request() function within file wp-includes/class-http.php due to improper validation of user-supplied iput. An unauthenticated, remote attacker can exploit this to redirect the user to a URL of the attacker's choosing. (CVE-2017-9066)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to WordPress version 4.7.5 or later.

See Also

https://wordpress.org/news/2017/05/wordpress-4-7-5/

https://codex.wordpress.org/Version_4.7.5

Plugin Details

Severity: High

ID: 100298

File Name: wordpress_4_7_5.nasl

Version: 1.9

Type: remote

Family: CGI abuses

Published: 5/19/2017

Updated: 6/5/2024

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2017-9064

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:wordpress:wordpress

Required KB Items: installed_sw/WordPress, www/PHP, Settings/ParanoidReport

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No exploit is required

Patch Publication Date: 5/16/2017

Vulnerability Publication Date: 4/21/2017

Reference Information

CVE: CVE-2017-9061, CVE-2017-9062, CVE-2017-9063, CVE-2017-9064, CVE-2017-9065, CVE-2017-9066

BID: 98509