Versions of WordPress prior to 4.5.2 are affected by multiple vulnerabilities :
- A flaw exists that is triggered when using the ‘ephemeral’ pseudo protocol, which may allow a context-dependent attacker to delete arbitrary files.
- A flaw exists in the ‘ms’ pseudo protocol that is triggered when moving image files. This may allow a context-dependent attacker to move arbitrary files to arbitrary locations.
- A flaw exists in the ‘label’ pseudo protocol that is triggered during the handling of a specially crafted image. This may allow a context-dependent attacker to read arbitrary files.
- A flaw known as ‘ImageTragick’ is triggered as shell characters are not properly filtered in filenames passed to delegate commands. This may allow a context-dependent attacker to inject arbitrary shell commands and subsequently execute arbitrary code.
- ‘MediaElement.js’ contains a flaw that allows a reflected cross-site scripting (XSS) attack. The program does not validate input before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.
- Plupload contains an unspecified same-origin method execution flaw. No further details have been provided.