Detections
Analytics
WordPress < 0.72 RC1 Multiple Vulnerabilities
high Nessus Plugin ID 11703
Language:
Synopsis
The remote web server contains PHP scripts that allow for arbitrary PHP code execution and local file disclosure as well as SQL injection attacks.Description
It is possible to make the remote host include php files hosted on a third-party server using the WordPress CGI suite that is installed (which is also vulnerable to a SQL injection attack).An attacker may use this flaw to inject arbitrary PHP code into the remote host and gain a shell with the privileges of the web server or to take the control of the remote database.
Solution
Upgrade to 0.72 RC1 or higher.See Also
http://www.kernelpanik.org/docs/kernelpanik/wordpressadv.txt
Plugin Details
Severity: High
ID: 11703
File Name: wordpress_flaws.nasl
Version: 1.29
Type: remote
Family: CGI abuses
Published: 6/9/2003
Updated: 6/4/2024
Supported Sensors: Nessus
Enable CGI Scanning: true
Risk Information
VPR
Risk Factor: Medium
Score: 4.2
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2003-1599
CVSS v3
Risk Factor: High
Base Score: 7.3
Temporal Score: 6.4
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:wordpress:wordpress
Required KB Items: installed_sw/WordPress, www/PHP
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Ease: No exploit is required
Patch Publication Date: 10/4/2003
Vulnerability Publication Date: 6/2/2003
Reference Information
CVE: CVE-2003-1599
BID: 7785