| VID |
22778 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
A version of WordPress software which is older than version 4.7.2 is detected as installed on the host. WordPress is a freely available PHP-based publication program that uses a MySQL backend database. WordPress versions 4.7.x prior to 4.7.2 are affected by a privilege escalation vulnerability in the REST API due to a failure to properly sanitize user-supplied input to the 'id' parameter when editing or deleting blog posts. An unauthenticated, remote attacker can exploit this issue to run arbitrary PHP code, inject content into blog posts, modify blog post attributes, or delete blog posts.
* Note: This check solely relied on the version number of the WordPress software installed on the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://thehackernews.com/2017/02/wordpress-hack-seo.html
* Platforms affected:
WordPress 4.7.x versions prior to 4.7.2
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of WordPress (4.7.2 or later), available from the WordPress Download Web site at http://wordpress.org/download/ |
| Related URL |
CVE-2017-1001000 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
