SB2017032307 - Debian update for wordpress

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017032307

SB2017032307 - Debian update for wordpress

Published: March 23, 2017

Security Bulletin ID SB2017032307
Severity
Low
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2017-6814)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability is caused by incorrect filtration of input data passed via playlist shortcode in the wp_playlist_shortcode() function in wp-includes/media.php and via the meta information in the renderTracks() function in wp-includes/js/mediaelement/wp-playlist.js. A remote attacker can inject arbitrary HTML and script code and execute it in victim’s browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.



2) Open redirect (CVE-ID: CVE-2017-6815)

The vulnerability allows a remote attacker to redirect website visitors to external websites.

The vulnerability is caused by incorrect validation of redirected URL in wp-includes/pluggable.php. A remote attacker can create a specially crafted link, redirect the victim on external website and perform a phishing attack.

3) Improper input validation (CVE-ID: CVE-2017-6816)

The vulnerability allows a remote authenticated administrator to delete certain files.

The vulnerability is caused by unknown error within plugin deletion functionality (wp-admin/plugins.php). A remote authenticated administrator can unintentionally delete certain files on the system.

4) Cross-site scripting (CVE-ID: CVE-2017-6817)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability is caused by incorrect filtration of input data passed via video URL in YouTube embeds (wp-includes/embed.php). A remote attacker with ability to add videos can inject arbitrary HTML and script code and execute it in victim’s browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.



Remediation

Install update from vendor's website.

References