Detections
Analytics
WordPress < 5.1.1 Multiple Vulnerabilities
high Nessus Plugin ID 122823
Language:
Synopsis
A PHP application running on the remote web server is affected by multiple vulnerabilities.Description
According to its self-reported version number, the WordPress application running on the remote web server is affected by multiple vulnerabilities:- A cross-site request forgery (XSRF) vulnerability exists in the comment form due to improper validation. A remote attacker can exploit this by tricking a user into visiting a specially crafted web page, allowing the attacker to create comments on the administrator's behalf. (CVE-2019-9787)
- A cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input before returning it to users. An unauthenticated, remote attacker can exploit this, by convincing a user to click a specially crafted URL, to execute arbitrary script code in a user's browser session.
Solution
Upgrade to WordPress version 5.1.1 or later.See Also
Plugin Details
Severity: High
ID: 122823
File Name: wordpress_5_1_1.nasl
Version: 1.6
Type: remote
Family: CGI abuses
Published: 3/14/2019
Updated: 6/14/2024
Configuration: Enable paranoid mode
Supported Sensors: Nessus
Enable CGI Scanning: true
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5.3
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2019-9787
CVSS v3
Risk Factor: High
Base Score: 8.8
Temporal Score: 7.9
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:wordpress:wordpress
Required KB Items: installed_sw/WordPress, www/PHP, Settings/ParanoidReport
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 3/12/2019
Vulnerability Publication Date: 3/12/2019
Reference Information
CVE: CVE-2019-9787
BID: 107411