6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
75.4%
Package : wordpress
Version : 3.6.1+dfsg-1~deb7u13
CVE ID : CVE-2017-5488 CVE-2017-5489 CVE-2017-5490
CVE-2017-5491 CVE-2017-5492 CVE-2017-5493
CVE-2017-5610 CVE-2017-5611 CVE-2017-5612
Debian Bug : 851310 852767
Several vulnerabilities were discovered in wordpress, a web blogging
tool. The Common Vulnerabilities and Exposures project identifies the
following issues.
CVE-2017-5488
Multiple cross-site scripting (XSS) vulnerabilities in
wp-admin/update-core.php in WordPress before 4.7.1 allow remote
attackers to inject arbitrary web script or HTML via the name or
version header of a plugin.
CVE-2017-5489
Cross-site request forgery (CSRF) vulnerability in WordPress before
4.7.1 allows remote attackers to hijack the authentication of
unspecified victims via vectors involving a Flash file upload.
CVE-2017-5490
Cross-site scripting (XSS) vulnerability in the theme-name fallback
functionality in wp-includes/class-wp-theme.php in WordPress before
4.7.1 allows remote attackers to inject arbitrary web script or HTML
via a crafted directory name of a theme, related to
wp-admin/includes/class-theme-installer-skin.php.
CVE-2017-5491
wp-mail.php in WordPress before 4.7.1 might allow remote attackers to
bypass intended posting restrictions via a spoofed mail server with the
mail.example.com name.
CVE-2017-5492
Cross-site request forgery (CSRF) vulnerability in the widget-editing
accessibility-mode feature in WordPress before 4.7.1 allows remote
attackers to hijack the authentication of unspecified victims for
requests that perform a widgets-access action, related to
wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.
CVE-2017-5493
wp-includes/ms-functions.php in the Multisite WordPress API in WordPress
before 4.7.1 does not properly choose random numbers for keys, which
makes it easier for remote attackers to bypass intended access
restrictions via a crafted site signup or user signup.
CVE-2017-5610
wp-admin/includes/class-wp-press-this.php in Press This in WordPress
before 4.7.2 does not properly restrict visibility of a
taxonomy-assignment user interface, which allows remote attackers to
bypass intended access restrictions by reading terms.
CVE-2017-5611
SQL injection vulnerability in wp-includes/class-wp-query.php in
WP_Query in WordPress before 4.7.2 allows remote attackers to execute
arbitrary SQL commands by leveraging the presence of an affected
plugin or theme that mishandles a crafted post type name.
CVE-2017-5612
Cross-site scripting (XSS) vulnerability in
wp-admin/includes/class-wp-posts-list-table.php in the posts list
table in WordPress before 4.7.2 allows remote attackers to inject
arbitrary web script or HTML via a crafted excerpt.
For Debian 7 "Wheezy", these problems have been fixed in version
3.6.1+dfsg-1~deb7u13.
We recommend that you upgrade your wordpress packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 7 | all | wordpress | < 3.6.1+dfsg-1~deb7u13 | wordpress_3.6.1+dfsg-1~deb7u13_all.deb |
Debian | 8 | all | wordpress-theme-twentyfifteen | < 4.1+dfsg-1+deb8u12 | wordpress-theme-twentyfifteen_4.1+dfsg-1+deb8u12_all.deb |
Debian | 8 | all | wordpress-l10n | < 4.1+dfsg-1+deb8u12 | wordpress-l10n_4.1+dfsg-1+deb8u12_all.deb |
Debian | 8 | all | wordpress-theme-twentyfourteen | < 4.1+dfsg-1+deb8u12 | wordpress-theme-twentyfourteen_4.1+dfsg-1+deb8u12_all.deb |
Debian | 8 | all | wordpress | < 4.1+dfsg-1+deb8u12 | wordpress_4.1+dfsg-1+deb8u12_all.deb |
Debian | 7 | all | wordpress-l10n | < 3.6.1+dfsg-1~deb7u13 | wordpress-l10n_3.6.1+dfsg-1~deb7u13_all.deb |
Debian | 8 | all | wordpress-theme-twentythirteen | < 4.1+dfsg-1+deb8u12 | wordpress-theme-twentythirteen_4.1+dfsg-1+deb8u12_all.deb |
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
75.4%