Arch Linux Security Advisory ASA-201703-14

Severity: Medium
Date : 2017-03-16
CVE-ID : CVE-2017-6814 CVE-2017-6815 CVE-2017-6816 CVE-2017-6817
CVE-2017-6818 CVE-2017-6819
Package : wordpress
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-202

Summary

The package wordpress before version 4.7.3-1 is vulnerable to multiple
issues including cross-site request forgery, cross-site scripting and
insufficient validation.

Resolution

Upgrade to 4.7.3-1.

pacman -Syu “wordpress>=4.7.3-1”

The problems have been fixed upstream in version 4.7.3.

Workaround

None.

Description

• CVE-2017-6814 (cross-site scripting)

An authenticated cross-site scripting (XSS) vulnerability has been
discovered in WordPress before 4.7.3 via Media File Metadata. This is
demonstrated by both (1) mishandling of the playlist shortcode in the
wp_playlist_shortcode function in wp-includes/media.php and (2)
mishandling of meta information in the renderTracks function in wp-
includes/js/mediaelement/wp-playlist.js.

• CVE-2017-6815 (insufficient validation)

A vulnerability has been discovered in WordPress before 4.7.3 (wp-
includes/pluggable.php) that certain control characters can trick
redirect URL validation.

• CVE-2017-6816 (insufficient validation)

It has been discovered that unintended files can be deleted by
administrators in WordPress before 4.7.3 (wp-admin/plugins.php) using
the plugin deletion functionality.

• CVE-2017-6817 (cross-site scripting)

An authenticated cross-site scripting (XSS) vulnerability has been
discovered in in WordPress before 4.7.3 (wp-includes/embed.php) via
YouTube URL Embeds.

• CVE-2017-6818 (cross-site scripting)

A cross-site scripting (XSS) vulnerability has been discovered in
WordPress before 4.7.3 (wp-admin/js/tags-box.js) via taxonomy term
names.

• CVE-2017-6819 (cross-site request forgery)

A cross-site request forgery (CSRF) vulnerability exists on the Press
This page of WordPress. This issue can be used to create a Denial of
Service (DoS) condition if an authenticated administrator visits a
malicious URL.

Impact

A remote attacker is able to execute arbitrary javascript on the
clients machine or perform a denial of service attack against the
server by tricking an administrator to visit a certain site.
Furthermore a malicious administrator is able to delete unintended
files from the server.

References

https://codex.wordpress.org/Version_4.7.3
https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663
https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
https://security.archlinux.org/CVE-2017-6814
https://security.archlinux.org/CVE-2017-6815
https://security.archlinux.org/CVE-2017-6816
https://security.archlinux.org/CVE-2017-6817
https://security.archlinux.org/CVE-2017-6818
https://security.archlinux.org/CVE-2017-6819