WordPress < 3.7.9 / 3.8.x < 3.8.9 / 3.9.x < 3.9.7 / 4.1.x < 4.1.6 / 4.2.x < 4.2.3 Multiple Vulnerabilities

low Nessus Network Monitor Plugin ID 9030

Synopsis

The remote server is hosting an outdated installation of WordPress that is vulnerable to multiple attack vectors.

Description

Versions of WordPress 3.7.x prior to 3.7.9 , 3.8.x prior to 3.8.9 , 3.9.x prior to 3.9.7 , 4.1.x prior to 4.1.6 , and 4.2.x prior to 4.2.3 are susceptible to the following vulnerabilities :

- A cross-site scripting (XSS) vulnerability exists due to a flaw in the Shortcode API in which shortcodes embedded in HTML tags are not properly handled before returning the input to the users. A remote, authenticated attacker can exploit this by using a crafted request to execute arbitrary code in the user's browser session.
- An unspecified vulnerability exists due to a flaw in Quick Draft, which can allow an unauthorized, remote user to create arbitrary drafts.

Solution

Upgrade to WordPress 4.2.3, or later. If 4.2.x cannot be obtained, 3.7.9, 3.8.9, 3.9.7, and 4.1.6 are also patched for these vulnerabilities.

See Also

https://wordpress.org/news/2015/07/wordpress-4-2-3

http://codex.wordpress.org/Version_3.7.9

http://codex.wordpress.org/Version_3.8.9

http://codex.wordpress.org/Version_3.9.7

http://codex.wordpress.org/Version_4.1.6

http://codex.wordpress.org/Version_4.2.3

Plugin Details

Severity: Low

ID: 9030

Family: CGI

Published: 12/17/2015

Updated: 3/6/2019

Nessus ID: 85082

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS v3

Risk Factor: Low

Base Score: 3.5

Temporal Score: 3.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:wordpress:wordpress

Patch Publication Date: 7/23/2015

Vulnerability Publication Date: 7/23/2015

Reference Information

CVE: CVE-2015-5622, CVE-2015-5623

BID: 76011