Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DSA-5685.NASL
HistoryMay 09, 2024 - 12:00 a.m.

Debian dsa-5685 : wordpress - security update

2024-05-0900:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
3
debian 11
debian 12
wordpress
security update
multiple vulnerabilities
directory traversal
cross-site scripting
xss
sensitive information exposure
rest api
rce
cve-2023-2745
cve-2023-38000
cve-2023-39999
cve-2023-5561
cve-2024-31210
nessus
application version.

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

6.4 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.9%

JSON

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5685 advisory.

  • WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files.
    In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. (CVE-2023-2745)

  • Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and Gutenberg plugin <= 16.8.0 versions. (CVE-2023-38000)

  • Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2 through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through 5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13, from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from 4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5 through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1 through 4.1.38. (CVE-2023-39999)

  • WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack (CVE-2023-5561)

  • WordPress is an open publishing platform for the Web. It’s possible for a file of a type other than a zip file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin screen in WordPress. If FTP credentials are requested for installation (in order to move the file into place outside of the uploads directory) then the uploaded file remains temporary available in the Media Library despite it not being allowed. If the DISALLOW_FILE_EDIT constant is set to true on the site
    and FTP credentials are required when uploading a new theme or plugin, then this technically allows an RCE when the user would otherwise have no means of executing arbitrary PHP code. This issue only affects Administrator level users on single site installations, and Super Admin level users on Multisite installations where it’s otherwise expected that the user does not have permission to upload or execute arbitrary PHP code. Lower level users are not affected. Sites where the DISALLOW_FILE_MODS constant is set to true are not affected. Sites where an administrative user either does not need to enter FTP credentials or they have access to the valid FTP credentials, are not affected. The issue was fixed in WordPress 6.4.3 on January 30, 2024 and backported to versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, and 4.1.40. A workaround is available. If the DISALLOW_FILE_MODS constant is defined as true then it will not be possible for any user to upload a plugin and therefore this issue will not be exploitable. (CVE-2024-31210)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5685. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(195202);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/31");

  script_cve_id(
    "CVE-2023-2745",
    "CVE-2023-5561",
    "CVE-2023-38000",
    "CVE-2023-39999",
    "CVE-2024-31210"
  );
  script_xref(name:"IAVA", value:"2023-A-0567-S");

  script_name(english:"Debian dsa-5685 : wordpress - security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dsa-5685 advisory.

  - WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the
    wp_lang' parameter. This allows unauthenticated attackers to access and load arbitrary translation files.
    In cases where an attacker is able to upload a crafted translation file onto the site, such as via an
    upload form, this could be also used to perform a Cross-Site Scripting attack. (CVE-2023-2745)

  - Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability in WordPress core 6.3 through 6.3.1,
    from 6.2 through 6.2.2, from 6.1 through 6.1.3, from 6.0 through 6.0.5, from 5.9 through 5.9.7 and
    Gutenberg plugin <= 16.8.0 versions. (CVE-2023-38000)

  - Exposure of Sensitive Information to an Unauthorized Actor in WordPress from 6.3 through 6.3.1, from 6.2
    through 6.2.2, from 6.1 through 6.13, from 6.0 through 6.0.5, from 5.9 through 5.9.7, from 5.8 through
    5.8.7, from 5.7 through 5.7.9, from 5.6 through 5.6.11, from 5.5 through 5.5.12, from 5.4 through 5.4.13,
    from 5.3 through 5.3.15, from 5.2 through 5.2.18, from 5.1 through 5.1.16, from 5.0 through 5.0.19, from
    4.9 through 4.9.23, from 4.8 through 4.8.22, from 4.7 through 4.7.26, from 4.6 through 4.6.26, from 4.5
    through 4.5.29, from 4.4 through 4.4.30, from 4.3 through 4.3.31, from 4.2 through 4.2.35, from 4.1
    through 4.1.38. (CVE-2023-39999)

  - WordPress does not properly restrict which user fields are searchable via the REST API, allowing
    unauthenticated attackers to discern the email addresses of users who have published public posts on an
    affected website via an Oracle style attack (CVE-2023-5561)

  - WordPress is an open publishing platform for the Web. It's possible for a file of a type other than a zip
    file to be submitted as a new plugin by an administrative user on the Plugins -> Add New -> Upload Plugin
    screen in WordPress. If FTP credentials are requested for installation (in order to move the file into
    place outside of the `uploads` directory) then the uploaded file remains temporary available in the Media
    Library despite it not being allowed. If the `DISALLOW_FILE_EDIT` constant is set to `true` on the site
    _and_ FTP credentials are required when uploading a new theme or plugin, then this technically allows an
    RCE when the user would otherwise have no means of executing arbitrary PHP code. This issue _only_ affects
    Administrator level users on single site installations, and Super Admin level users on Multisite
    installations where it's otherwise expected that the user does not have permission to upload or execute
    arbitrary PHP code. Lower level users are not affected. Sites where the `DISALLOW_FILE_MODS` constant is
    set to `true` are not affected. Sites where an administrative user either does not need to enter FTP
    credentials or they have access to the valid FTP credentials, are not affected. The issue was fixed in
    WordPress 6.4.3 on January 30, 2024 and backported to versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9,
    5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31,
    4.4.32, 4.3.33, 4.2.37, and 4.1.40. A workaround is available. If the `DISALLOW_FILE_MODS` constant is
    defined as `true` then it will not be possible for any user to upload a plugin and therefore this issue
    will not be exploitable. (CVE-2024-31210)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/wordpress");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-2745");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-38000");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-39999");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-5561");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2024-31210");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bookworm/wordpress");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/wordpress");
  script_set_attribute(attribute:"solution", value:
"Upgrade the wordpress packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-38000");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/05/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/05/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress-l10n");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress-theme-twentynineteen");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress-theme-twentytwenty");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress-theme-twentytwentyone");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress-theme-twentytwentythree");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress-theme-twentytwentytwo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+|^(12)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0 / 12.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '11.0', 'prefix': 'wordpress', 'reference': '5.7.11+dfsg1-0+deb11u1'},
    {'release': '11.0', 'prefix': 'wordpress-l10n', 'reference': '5.7.11+dfsg1-0+deb11u1'},
    {'release': '11.0', 'prefix': 'wordpress-theme-twentynineteen', 'reference': '5.7.11+dfsg1-0+deb11u1'},
    {'release': '11.0', 'prefix': 'wordpress-theme-twentytwenty', 'reference': '5.7.11+dfsg1-0+deb11u1'},
    {'release': '11.0', 'prefix': 'wordpress-theme-twentytwentyone', 'reference': '5.7.11+dfsg1-0+deb11u1'},
    {'release': '12.0', 'prefix': 'wordpress', 'reference': '6.1.6+dfsg1-0+deb12u1'},
    {'release': '12.0', 'prefix': 'wordpress-l10n', 'reference': '6.1.6+dfsg1-0+deb12u1'},
    {'release': '12.0', 'prefix': 'wordpress-theme-twentytwentyone', 'reference': '6.1.6+dfsg1-0+deb12u1'},
    {'release': '12.0', 'prefix': 'wordpress-theme-twentytwentythree', 'reference': '6.1.6+dfsg1-0+deb12u1'},
    {'release': '12.0', 'prefix': 'wordpress-theme-twentytwentytwo', 'reference': '6.1.6+dfsg1-0+deb12u1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'wordpress / wordpress-l10n / wordpress-theme-twentynineteen / etc');
}
VendorProductVersionCPE
debiandebian_linux11.0cpe:/o:debian:debian_linux:11.0
debiandebian_linuxwordpressp-cpe:/a:debian:debian_linux:wordpress
debiandebian_linuxwordpress-theme-twentytwentythreep-cpe:/a:debian:debian_linux:wordpress-theme-twentytwentythree
debiandebian_linuxwordpress-l10np-cpe:/a:debian:debian_linux:wordpress-l10n
debiandebian_linuxwordpress-theme-twentytwentyp-cpe:/a:debian:debian_linux:wordpress-theme-twentytwenty
debiandebian_linuxwordpress-theme-twentytwentytwop-cpe:/a:debian:debian_linux:wordpress-theme-twentytwentytwo
debiandebian_linuxwordpress-theme-twentynineteenp-cpe:/a:debian:debian_linux:wordpress-theme-twentynineteen
debiandebian_linuxwordpress-theme-twentytwentyonep-cpe:/a:debian:debian_linux:wordpress-theme-twentytwentyone
debiandebian_linux12.0cpe:/o:debian:debian_linux:12.0

Related

osv 18
openvas 12
debian 3
nessus 28
ubuntucve 5
cve 5
cvelist 5
debiancve 5
nvd 5
qualysblog 1
prion 4
veracode 5
githubexploit 3
wpvulndb 5
attackerkb 1
fedora 3
wpexploit 1
packetstorm 1
wordfence 3
zdt 1
avleonov 1
osv
osv
wordpress - security update
2024-05-08 00:00:00
wordpress - security update
2023-11-20 00:00:00
BIT-wordpress-2024-31210
2024-04-06 18:33:59
openvas
openvas
Debian: Security Advisory (DSA-5685-1)
2024-05-09 00:00:00
WordPress Multiple Vulnerabilities (Oct 2023) - Windows
2023-10-13 00:00:00
WordPress Multiple Vulnerabilities (Oct 2023) - Linux
2023-10-13 00:00:00
debian
debian
[SECURITY] [DSA 5685-1] wordpress security update
2024-05-08 22:06:13
[SECURITY] [DLA 3658-1] wordpress security update
2023-11-20 21:26:30
[SECURITY] [DLA 3462-1] wordpress security update
2023-06-20 22:25:05
nessus
nessus
WordPress 6.0 < 6.3.2 Multiple Vulnerabilities
2023-10-12 00:00:00
Debian DLA-3658-1 : wordpress - LTS security update
2023-11-20 00:00:00
Fedora 38 : wordpress (2023-c42a4b2eab)
2023-10-25 00:00:00
ubuntucve
ubuntucve
CVE-2024-31210
2024-04-04 00:00:00
CVE-2023-39999
2023-10-13 00:00:00
CVE-2023-5561
2023-10-16 00:00:00
cve
cve
CVE-2024-31210
2024-04-04 23:15:16
CVE-2023-39999
2023-10-13 12:15:09
CVE-2023-38000
2023-10-13 10:15:09
cvelist
cvelist
CVE-2024-31210 PHP file upload bypass via Plugin installer
2024-04-04 22:59:28
CVE-2023-39999 WordPress < 6.3.2 is vulnerable to Broken Access Control
2023-10-13 11:31:16
CVE-2023-5561 WordPress < 6.3.2 - Unauthenticated Post Author Email Disclosure
2023-10-16 19:39:10
debiancve
debiancve
CVE-2024-31210
2024-04-04 23:15:16
CVE-2023-39999
2023-10-13 12:15:09
CVE-2023-38000
2023-10-13 10:15:09
nvd
nvd
CVE-2024-31210
2024-04-04 23:15:16
CVE-2023-39999
2023-10-13 12:15:09
CVE-2023-38000
2023-10-13 10:15:09
qualysblog
qualysblog
WordPress Remote Code Execution via Plugin Upload (CVE-2024-31210)
2024-04-15 16:12:05
prion
prion
Design/Logic Flaw
2023-10-13 12:15:00
Cross site scripting
2023-10-13 10:15:00
Code injection
2023-10-16 20:15:00
veracode
veracode
Remote Code Execution
2024-04-08 04:22:14
Information Disclosure
2023-11-05 17:25:17
Information Disclosure
2023-11-12 06:43:12
githubexploit
githubexploit
Exploit for CVE-2024-31210
2024-06-13 00:24:56
Exploit for Vulnerability in Wordpress
2023-11-26 03:47:33
Exploit for CVE-2023-5561
2023-12-13 16:43:18
wpvulndb
wpvulndb
WP < 6.3.2 - Contributor+ Comment Disclosure
2023-10-13 00:00:00
Gutenberg < 16.8.1 - Contributor+ Stored XSS via Navigation Links Block
2023-10-13 00:00:00
WP 5.6-6.3.1 - Contributor+ Stored XSS via Navigation Block
2023-10-13 00:00:00
attackerkb
attackerkb
CVE-2023-39999
2023-10-13 00:00:00
fedora
fedora
[SECURITY] Fedora 39 Update: wordpress-6.3.2-1.fc39
2023-11-03 18:58:31
[SECURITY] Fedora 37 Update: wordpress-6.2.3-1.fc37
2023-10-25 01:24:30
[SECURITY] Fedora 38 Update: wordpress-6.3.2-1.fc38
2023-10-25 01:36:40
wpexploit
wpexploit
WP < 6.3.2 - Unauthenticated Post Author Email Disclosure
2023-10-13 00:00:00
packetstorm
packetstorm
WordPress Core 6.2 XSS / CSRF / Directory Traversal
2023-05-17 00:00:00
wordfence
wordfence
WordPress Core 6.2.1 Security & Maintenance Release – What You Need to Know
2023-05-16 20:36:58
Wordfence Intelligence Weekly WordPress Vulnerability Report (October 9, 2023 to October 15, 2023)
2023-10-19 15:52:27
Wordfence Intelligence Weekly WordPress Vulnerability Report (May 15, 2023 to May 21, 2023)
2023-05-25 13:11:33
zdt
zdt
WordPress Core 6.2 XSS / CSRF / Directory Traversal Vulnerability
2023-05-19 00:00:00
avleonov
avleonov
November 2023 – January 2024: New Vulristics Features, 3 Months of Microsoft Patch Tuesdays and Linux Patch Wednesdays, Year 2023 in Review
2024-02-01 17:07:20

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

6.4 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

69.9%

JSON
Related for DEBIAN_DSA-5685.NASL
osv18openvas12debian3nessus28ubuntucve5cve5cvelist5debiancve5nvd5qualysblog1prion4veracode5githubexploit3wpvulndb5attackerkb1fedora3wpexploit1packetstorm1wordfence3zdt1avleonov1