WordPress < 4.7.1 Multiple Vulnerabilities

critical Nessus Plugin ID 96606

Synopsis

A PHP application running on the remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the WordPress application running on the remote web server is prior to 4.7.1.
It is, therefore, affected by multiple vulnerabilities :

- A remote code execution vulnerability exists in the PHPMailer component in the class.phpmailer.php script due to improper handling of sender email addresses. An unauthenticated, remote attacker can exploit this to pass extra arguments to the sendmail binary, potentially allowing the attacker to execute arbitrary code.
(CVE-2016-10033, CVE-2016-10045)

- An information disclosure vulnerability exists in the REST API implementation due to a failure to properly restrict listings of post authors. An unauthenticated, remote attacker can exploit this, via a wp-json/wp/v2/users request, to disclose sensitive information. (CVE-2017-5487)

- Multiple cross-site scripting (XSS) vulnerabilities exist in the update-core.php script due to improper validation of input to the plugin name or version header. An unauthenticated, remote attacker can exploit these, via a specially crafted request, to execute arbitrary script code in a user's browser session.
(CVE-2017-5488)

- A cross-site request forgery (XSRF) vulnerability exists due to improper handling of uploaded Flash files. An unauthenticated, remote attacker can exploit this, via a specially crafted Flash file, to hijack the authentication of users. (CVE-2017-5489)

- A cross-site scripting (XSS) vulnerability exists in the class-wp-theme.php script due to improper validation of input when handling theme name fallback. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2017-5490)

- A security bypass vulnerability exists in the wp-mail.php script due to improper validation of mail server names. An unauthenticated, remote attacker can exploit this, via a spoofed mail server with the 'mail.example.com' name, to bypass intended security restrictions. (CVE-2017-5491)

- A cross-site request forgery (XSRF) vulnerability exists in the widget-editing accessibility-mode feature due to a failure to require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions for HTTP requests. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted URL, to hijack the authentication of users or cause them to edit widgets.
(CVE-2017-5492)

- A security bypass vulnerability exists in the ms-functions.php script due to the use of weak cryptographic security for multisite activation keys. An unauthenticated, remote attacker can exploit this, via a specially crafted site sign-up or user sign-up, to bypass intended access restrictions. (CVE-2017-5493)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to WordPress version 4.7.1 or later.

See Also

http://www.nessus.org/u?dede5367

https://codex.wordpress.org/Version_4.7.1

https://core.trac.wordpress.org/query?milestone=4.7.1

http://www.nessus.org/u?f07608c3

Plugin Details

Severity: Critical

ID: 96606

File Name: wordpress_4_7_1.nasl

Version: 1.14

Type: remote

Family: CGI abuses

Published: 1/18/2017

Updated: 6/4/2024

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Enable CGI Scanning: true

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2016-10033

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:wordpress:wordpress

Required KB Items: installed_sw/WordPress, Settings/ParanoidReport, www/PHP

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: No exploit is required

Patch Publication Date: 1/11/2017

Vulnerability Publication Date: 12/24/2016

Exploitable With

Core Impact

Metasploit (PHPMailer Sendmail Argument Injection)

Reference Information

CVE: CVE-2016-10033, CVE-2016-10045, CVE-2017-5487, CVE-2017-5488, CVE-2017-5489, CVE-2017-5490, CVE-2017-5491, CVE-2017-5492, CVE-2017-5493

BID: 95108, 95130, 95391, 95397, 95399, 95401, 95402, 95406, 95407