VID |
22701 |
Severity |
30 |
Port |
80, ... |
Protocol |
TCP |
Class |
CGI |
Detailed Description |
A version of WordPress software which is older than or as old as version 4.1.6 is detected as installed on the host. WordPress is a freely available PHP-based publication program that uses a MySQL backend database. WordPress versions 4.1.6 and earlier are vulnerable to multiple vulnerabilities.
- A cross-site scripting (XSS) vulnerability exists due to a flaw in the Shortcode API in which shortcodes embedded in HTML tags are not properly handled before returning the input to the users. A remote, authenticated attacker can exploit this by using a crafted request to execute arbitrary code in the user's browser session. (CVE-2015-5622)
- An unspecified vulnerability exists due to a flaw in Quick Draft, which can allow an unauthorized, remote user to create arbitrary drafts. (CVE-2015-5623)
* Note: This check solely relied on the version number of the WordPress software installed on the remote Web server to assess this vulnerability, so this might be a false positive.
* References: http://codex.wordpress.org/Version_4.1.6
* Platforms affected: WordPress versions 4.1.6 and earlier Any operating system Any version |
Recommendation |
Upgrade to the latest version of WordPress (4.1.6 or later), available from the WordPress Download Web site at http://wordpress.org/download/ |
Related URL |
CVE-2015-5622,CVE-2015-5623 (CVE) |
Related URL |
(SecurityFocus) |
Related URL |
(ISS) |
|