WordPress 3.9.x < 3.9.19 Multiple Vulnerabilities

According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities :

• A DOM-based cross-site scripting (XSS) vulnerability exists in the uploadSizeError() function within file wp-includes/js/plupload/handlers.js when handling overly large file uploads due to improper validation of user-supplied input to file names before returning it in error messages. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user’s browser session. (CVE-2017-9061)

• A flaw exists in the set_custom_fields() function within file wp-includes/class-wp-xmlrpc-server.php when accessing post meta data due to improper validation of user-supplied input. An authenticated, remote attacker can exploit this to gain unauthorized access to meta data. (CVE-2017-9062)

• A stored cross-site scripting (XSS) vulnerability exists within file wp-admin/customize.php script due to improper validation of user-supplied input to the blog name before returning it to users. An authenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user’s browser session. (CVE-2017-9063)

• A cross-site request forgery (XSRF) vulnerability exists in the request_filesystem_credentials() function within file /wp-admin/includes/file.php due to a failure to require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to disclose the user credentials. (CVE-2017-9064)

• A flaw exists in the XML-RPC API, specifically within file wp-includes/class-wp-xmlrpc-server.php in the _insert_post() function, when handling post meta data due to a lack of capability checks. An unauthenticated, remote attacker can exploit this to manipulate posts without having the required capabilities. (CVE-2017-9065)

• An flaw exists in the WP_Http::request() function within file wp-includes/class-http.php due to improper validation of user-supplied iput. An unauthenticated, remote attacker can exploit this to redirect the user to a URL of the attacker’s choosing. (CVE-2017-9066)

Note that the scanner has not tested for these issues but has instead relied only on the application’s self-reported version number.