| VID |
210160 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
A version of WordPress software which is older than 4.2.2 is detected as installed on the host. WordPress is a freely available PHP-based publication program that uses a MySQL backend database. Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. A cross-site scripting vulnerability exists that was only partially fixed in the 4.2.1 release.
* Note: This check solely relied on the version number of the WordPress software installed on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://codex.wordpress.org/Version_4.2.2
https://wordpress.org/news/2015/05/wordpress-4-2-2/
* Platforms affected:
WordPress versions 4.2.2 earlier
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of WordPress (4.2.2 or later), available from the WordPress Download Web site at http://wordpress.org/download/ |
| Related URL |
CVE-2015-3440 (CVE) |
| Related URL |
74334 (SecurityFocus) |
| Related URL |
(ISS) |
|
