Synopsis
The remote web server contains a PHP application that is affected by multiple vulnerabilities.
Description
According to its version number, the WordPress application hosted on the remote web server is affected by multiple vulnerabilities :
- An XML injection flaw exists within 'getid3.lib.php' due to the parser accepting XML external entities from untrusted sources. Using specially crafted XML data, a remote attacker could access sensitive information or cause a denial of service. This affects versions 3.6 - 3.9.1, except 3.7.4 and 3.8.4.
- An XML injection flaw exists within 'xmlrpc.php' due to the parser accepting XML internal entities without properly validating them. Using specially crafted XML data, a remote attacker could cause a denial of service.
This affects versions 1.5 - 3.9.1, except 3.7.4 and 3.8.4.
- An unsafe serialization flaw exists in the script '/src/wp-includes/class-wp-customize-widgets.php' when processing widgets. This could allow a remote attacker to execute arbitrary code. Versions 3.9 and 3.9.1 non-default configurations are affected.
- A flaw exists when building CSRF tokens due to it not separating pieces by delimiter and not comparing nonces in a time-constant manner. This could allow a remote attacker to conduct a brute force attack and potentially disclose the CSRF token. This affects versions 2.0.3 - 3.9.1, except 3.7.4 and 3.8.4.
- A cross-site scripting flaw exists in the function 'get_avatar' within the '/src/wp-includes/pluggable.php' script where input from the avatars is not validated before returning it to the user. Using a specially crafted request, an authenticated attacker could execute arbitrary script code within the browser / server trust relationship. This affects version 3.9.1.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to WordPress 3.7.4 / 3.8.4 / 3.9.2 or later.
Plugin Details
File Name: wordpress_3_9_2.nasl
Configuration: Enable paranoid mode
Supported Sensors: Nessus
Enable CGI Scanning: true
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: cpe:/a:wordpress:wordpress
Required KB Items: www/PHP, installed_sw/WordPress, Settings/ParanoidReport
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Ease: No exploit is required
Patch Publication Date: 8/6/2014
Vulnerability Publication Date: 3/7/2014
Reference Information
CVE: CVE-2014-2053, CVE-2014-5203, CVE-2014-5204, CVE-2014-5205, CVE-2014-5240, CVE-2014-5265, CVE-2014-5266
BID: 69096
CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990