Korean
<< Back
VID 22699
Severity 30
Port 80, ...
Protocol TCP
Class CGI
Detailed Description A version of WordPress software which is older than or as old as version 3.8.9 is detected as installed on the host. WordPress is a freely available PHP-based publication program that uses a MySQL backend database. WordPress versions 3.8.9 and earlier are vulnerable to multiple vulnerabilities.

- A cross-site scripting (XSS) vulnerability exists due to a flaw in the Shortcode API in which shortcodes embedded in HTML tags are not properly handled before returning the input to the users. A remote, authenticated attacker can exploit this by using a crafted request to execute arbitrary code in the user's browser session. (CVE-2015-5622)

- An unspecified vulnerability exists due to a flaw in Quick Draft, which can allow an unauthorized, remote user to create arbitrary drafts. (CVE-2015-5623)

* Note: This check solely relied on the version number of the WordPress software installed on the remote Web server to assess this vulnerability, so this might be a false positive.

* References:
http://codex.wordpress.org/Version_3.8.9

* Platforms affected:
WordPress versions 3.8.9 and earlier
Any operating system Any version
Recommendation Upgrade to the latest version of WordPress (3.8.9 or later), available from the WordPress Download Web site at http://wordpress.org/download/
Related URL CVE-2015-5622,CVE-2015-5623 (CVE)
Related URL (SecurityFocus)
Related URL (ISS)