| VID |
22700 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
A version of WordPress software which is older than or as old as version 3.9.7 is detected as installed on the host. WordPress is a freely available PHP-based publication program that uses a MySQL backend database. WordPress versions 3.9.7 and earlier are vulnerable to multiple vulnerabilities.
- A cross-site scripting (XSS) vulnerability exists due to a flaw in the Shortcode API in which shortcodes embedded in HTML tags are not properly handled before returning the input to the users. A remote, authenticated attacker can exploit this by using a crafted request to execute arbitrary code in the user's browser session. (CVE-2015-5622)
- An unspecified vulnerability exists due to a flaw in Quick Draft, which can allow an unauthorized, remote user to create arbitrary drafts. (CVE-2015-5623)
* Note: This check solely relied on the version number of the WordPress software installed on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://codex.wordpress.org/Version_3.9.7
* Platforms affected:
WordPress versions 3.9.7 and earlier
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of WordPress (3.9.7 or later), available from the WordPress Download Web site at http://wordpress.org/download/ |
| Related URL |
CVE-2015-5622,CVE-2015-5623 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
