Search...

Fedora Update for wordpress FEDORA-2016-d9bd0c4830

2016-06-08T00:00:00

ID OPENVAS:1361412562310808411
Type openvas
Reporter Copyright (C) 2016 Greenbone Networks GmbH
Modified 2019-03-15T00:00:00

Description

The remote host is missing an update for the

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for wordpress FEDORA-2016-d9bd0c4830
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.808411");
  script_version("$Revision: 14223 $");
  script_tag(name:"last_modification", value:"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $");
  script_tag(name:"creation_date", value:"2016-06-08 15:53:02 +0200 (Wed, 08 Jun 2016)");
  script_cve_id("CVE-2016-4566", "CVE-2016-4567");
  script_tag(name:"cvss_base", value:"4.3");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
  script_tag(name:"qod_type", value:"package");
  script_name("Fedora Update for wordpress FEDORA-2016-d9bd0c4830");
  script_tag(name:"summary", value:"The remote host is missing an update for the 'wordpress'
  package(s) announced via the referenced advisory.");
  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
  script_tag(name:"affected", value:"wordpress on Fedora 24");
  script_tag(name:"solution", value:"Please install the updated package(s).");
  script_xref(name:"FEDORA", value:"2016-d9bd0c4830");
  script_xref(name:"URL", value:"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ONPDRFTOLD3XFYP5NJYSVO6ASEYW7HKX");
  script_tag(name:"solution_type", value:"VendorFix");
  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2016 Greenbone Networks GmbH");
  script_family("Fedora Local Security Checks");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms", re:"ssh/login/release=FC24");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-rpm.inc");

release = rpm_get_ssh_release();
if(!release)
  exit(0);

res = "";

if(release == "FC24")
{

  if ((res = isrpmvuln(pkg:"wordpress", rpm:"wordpress~4.5.2~2.fc24", rls:"FC24")) != NULL)
  {
    security_message(data:res);
    exit(0);
  }

  if (__pkg_match) exit(99);
  exit(0);
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310808411", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for wordpress FEDORA-2016-d9bd0c4830", "description": "The remote host is missing an update for the ", "published": "2016-06-08T00:00:00", "modified": "2019-03-15T00:00:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808411", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ONPDRFTOLD3XFYP5NJYSVO6ASEYW7HKX", "2016-d9bd0c4830"], "cvelist": ["CVE-2016-4567", "CVE-2016-4566"], "lastseen": "2019-05-29T18:35:19", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2016-0359", "CPAI-2016-0361"]}, {"type": "cve", "idList": ["CVE-2016-4566", "CVE-2016-4567"]}, {"type": "debian", "idList": ["DEBIAN:BSA-110:3C6DE"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2016-4566", "DEBIANCVE:CVE-2016-4567"]}, {"type": "fedora", "idList": ["FEDORA:0CB1762A7F87", "FEDORA:3306D616656E", "FEDORA:6FC2261FE275"]}, {"type": "freebsd", "idList": ["3686917B-164D-11E6-94FA-002590263BF5"]}, {"type": "nessus", "idList": ["9387.PRM", "FEDORA_2016-CF91320535.NASL", "FEDORA_2016-D9BD0C4830.NASL", "FEDORA_2016-E97A850183.NASL", "FREEBSD_PKG_3686917B164D11E694FA002590263BF5.NASL", "WEB_APPLICATION_SCANNING_112556", "WORDPRESS_4_5_2.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310808330", "OPENVAS:1361412562310808367"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-4566", "UB:CVE-2016-4567"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:60556C39-6FE7-4B69-A614-16202BA588AD", "WPVDB-ID:A82A6C6F-1787-4ADC-84DD-3151F1EDFD06"]}], "rev": 4}, "score": {"value": 5.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2016-0361"]}, {"type": "cve", "idList": ["CVE-2016-4566", "CVE-2016-4567"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2016-4566"]}, {"type": "fedora", "idList": ["FEDORA:6FC2261FE275"]}, {"type": "freebsd", "idList": ["3686917B-164D-11E6-94FA-002590263BF5"]}, {"type": "nessus", "idList": ["FEDORA_2016-CF91320535.NASL", "FEDORA_2016-D9BD0C4830.NASL", "FEDORA_2016-E97A850183.NASL", "FREEBSD_PKG_3686917B164D11E694FA002590263BF5.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310808330"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-4566"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:60556C39-6FE7-4B69-A614-16202BA588AD"]}]}, "exploitation": null, "vulnersScore": 5.9}, "pluginID": "1361412562310808411", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for wordpress FEDORA-2016-d9bd0c4830\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808411\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-08 15:53:02 +0200 (Wed, 08 Jun 2016)\");\n script_cve_id(\"CVE-2016-4566\", \"CVE-2016-4567\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for wordpress FEDORA-2016-d9bd0c4830\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'wordpress'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"wordpress on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-d9bd0c4830\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ONPDRFTOLD3XFYP5NJYSVO6ASEYW7HKX\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"wordpress\", rpm:\"wordpress~4.5.2~2.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"fedora": [{"lastseen": "2020-12-21T08:17:53", "description": "Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. Important information in /usr/share/doc/wordpress/README.fedora ", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2016-05-20T17:57:08", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: wordpress-4.5.2-2.fc24", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4566", "CVE-2016-4567"], "modified": "2016-05-20T17:57:08", "id": "FEDORA:6FC2261FE275", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:53", "description": "Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. Important information in /usr/share/doc/wordpress/README.fedora ", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2016-05-20T23:53:47", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: wordpress-4.5.2-1.fc22", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4566", "CVE-2016-4567"], "modified": "2016-05-20T23:53:47", "id": "FEDORA:3306D616656E", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:53", "description": "Wordpress is an online publishing / weblog package that makes it very easy, almost trivial, to get information out to people on the web. Important information in /usr/share/doc/wordpress/README.fedora ", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2016-05-21T00:01:14", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: wordpress-4.5.2-1.fc23", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4566", "CVE-2016-4567"], "modified": "2016-05-21T00:01:14", "id": "FEDORA:0CB1762A7F87", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:35:48", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-06-08T00:00:00", "type": "openvas", "title": "Fedora Update for wordpress FEDORA-2016-cf91320535", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4567", "CVE-2016-4566"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310808367", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808367", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for wordpress FEDORA-2016-cf91320535\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808367\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-08 15:41:46 +0200 (Wed, 08 Jun 2016)\");\n script_cve_id(\"CVE-2016-4566\", \"CVE-2016-4567\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for wordpress FEDORA-2016-cf91320535\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'wordpress'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"wordpress on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-cf91320535\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KNZ5WANYWW2GTQYWXKFYGILFOIFV5SJN\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"wordpress\", rpm:\"wordpress~4.5.2~1.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:35:04", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2016-06-08T00:00:00", "type": "openvas", "title": "Fedora Update for wordpress FEDORA-2016-e97a850183", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4567", "CVE-2016-4566"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310808330", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808330", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for wordpress FEDORA-2016-e97a850183\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808330\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-08 15:42:02 +0200 (Wed, 08 Jun 2016)\");\n script_cve_id(\"CVE-2016-4566\", \"CVE-2016-4567\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for wordpress FEDORA-2016-e97a850183\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'wordpress'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"wordpress on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-e97a850183\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PKSGHYLKGFBY5CLCHKZJAMZTPDQLX2H5\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"wordpress\", rpm:\"wordpress~4.5.2~1.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2021-08-19T12:42:10", "description": "Helen Hou-Sandi reports :\n\nWordPress 4.5.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.\n\nWordPress versions 4.5.1 and earlier are affected by a SOME vulnerability through Plupload, the third-party library WordPress uses for uploading files. WordPress versions 4.2 through 4.5.1 are vulnerable to reflected XSS using specially crafted URIs through MediaElement.js, the third-party library used for media players.\nMediaElement.js and Plupload have also released updates fixing these issues.", "cvss3": {"score": 6.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2016-05-11T00:00:00", "type": "nessus", "title": "FreeBSD : wordpress -- multiple vulnerabilities (3686917b-164d-11e6-94fa-002590263bf5)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4566", "CVE-2016-4567"], "modified": "2021-01-04T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:de-wordpress", "p-cpe:/a:freebsd:freebsd:ja-wordpress", "p-cpe:/a:freebsd:freebsd:ru-wordpress", "p-cpe:/a:freebsd:freebsd:wordpress", "p-cpe:/a:freebsd:freebsd:zh-wordpress-zh_CN", "p-cpe:/a:freebsd:freebsd:zh-wordpress-zh_TW", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_3686917B164D11E694FA002590263BF5.NASL", "href": "https://www.tenable.com/plugins/nessus/91027", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(91027);\n script_version(\"2.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2016-4566\", \"CVE-2016-4567\");\n\n script_name(english:\"FreeBSD : wordpress -- multiple vulnerabilities (3686917b-164d-11e6-94fa-002590263bf5)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Helen Hou-Sandi reports :\n\nWordPress 4.5.2 is now available. This is a security release for all\nprevious versions and we strongly encourage you to update your sites\nimmediately.\n\nWordPress versions 4.5.1 and earlier are affected by a SOME\nvulnerability through Plupload, the third-party library WordPress uses\nfor uploading files. WordPress versions 4.2 through 4.5.1 are\nvulnerable to reflected XSS using specially crafted URIs through\nMediaElement.js, the third-party library used for media players.\nMediaElement.js and Plupload have also released updates fixing these\nissues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://wordpress.org/news/2016/05/wordpress-4-5-2/\"\n );\n # http://www.openwall.com/lists/oss-security/2016/05/07/7\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openwall.com/lists/oss-security/2016/05/07/7\"\n );\n # https://vuxml.freebsd.org/freebsd/3686917b-164d-11e6-94fa-002590263bf5.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?50dc04c7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:de-wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ja-wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ru-wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:zh-wordpress-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:zh-wordpress-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"wordpress<4.5.2,1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"de-wordpress<4.5.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ja-wordpress<4.5.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ru-wordpress<4.5.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"zh-wordpress-zh_CN<4.5.2\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"zh-wordpress-zh_TW<4.5.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-03-27T15:16:37", "description": "According to its self-reported version number, MediaElement.js is prior to 2.21.1. Therefore, it may be affected by a cross-site scripting vulnerability in flashmediaelement.swf.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 6.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2019-02-18T00:00:00", "type": "nessus", "title": "MediaElement.js < 2.21.1 Cross-Site Scripting", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4567"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:mediaelementjs:mediaelement.js:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_112556", "href": "https://www.tenable.com/plugins/was/112556", "sourceData": "No source data", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-08-19T12:41:21", "description": "**WordPress 4.5.2** is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.\n\nSee the [Release announcement](https://wordpress.org/news/2016/05/wordpress-4-5-2/)\n\n----\n\nVersion 4.5.1 of WordPress is available and fixes 12 bugs. \n\nSee [Release announcement](https://wordpress.org/news/2016/04/wordpress-4-5-1-maint enance-release/)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2016-07-14T00:00:00", "type": "nessus", "title": "Fedora 22 : wordpress (2016-e97a850183)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4566"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:wordpress", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2016-E97A850183.NASL", "href": "https://www.tenable.com/plugins/nessus/92193", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-e97a850183.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92193);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-4566\");\n script_xref(name:\"FEDORA\", value:\"2016-e97a850183\");\n\n script_name(english:\"Fedora 22 : wordpress (2016-e97a850183)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"**WordPress 4.5.2** is now available. This is a security release for\nall previous versions and we strongly encourage you to update your\nsites immediately.\n\nSee the [Release\nannouncement](https://wordpress.org/news/2016/05/wordpress-4-5-2/)\n\n----\n\nVersion 4.5.1 of WordPress is available and fixes 12 bugs. \n\nSee [Release\nannouncement](https://wordpress.org/news/2016/04/wordpress-4-5-1-maint\nenance-release/)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-e97a850183\"\n );\n # https://wordpress.org/news/2016/04/wordpress-4-5-1-maintenance-release/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?86580192\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wordpress package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"wordpress-4.5.2-1.fc22\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wordpress\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-08-19T12:41:27", "description": "**WordPress 4.5.2** is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.\n\nSee the [Release announcement](https://wordpress.org/news/2016/05/wordpress-4-5-2/)\n\n---\n\n**Packaging changes**\n\n - provide nginx configuration\n\n - drop mandatory dependency on httpd (only suggested) and mod_php (php-fpm works)\n\n - protect php files in uploads directory\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2016-07-14T00:00:00", "type": "nessus", "title": "Fedora 24 : wordpress (2016-d9bd0c4830)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4566"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:wordpress", "cpe:/o:fedoraproject:fedora:24"], "id": "FEDORA_2016-D9BD0C4830.NASL", "href": "https://www.tenable.com/plugins/nessus/92180", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-d9bd0c4830.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92180);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-4566\");\n script_xref(name:\"FEDORA\", value:\"2016-d9bd0c4830\");\n\n script_name(english:\"Fedora 24 : wordpress (2016-d9bd0c4830)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"**WordPress 4.5.2** is now available. This is a security release for\nall previous versions and we strongly encourage you to update your\nsites immediately.\n\nSee the [Release\nannouncement](https://wordpress.org/news/2016/05/wordpress-4-5-2/)\n\n---\n\n**Packaging changes**\n\n - provide nginx configuration\n\n - drop mandatory dependency on httpd (only suggested) and\n mod_php (php-fpm works)\n\n - protect php files in uploads directory\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-d9bd0c4830\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wordpress package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:24\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^24([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 24\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC24\", reference:\"wordpress-4.5.2-2.fc24\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wordpress\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-08-19T12:41:32", "description": "**WordPress 4.5.2** is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.\n\nSee the [Release announcement](https://wordpress.org/news/2016/05/wordpress-4-5-2/)\n\n----\n\nVersion 4.5.1 of WordPress is available and fixes 12 bugs. \n\nSee [Release announcement](https://wordpress.org/news/2016/04/wordpress-4-5-1-maint enance-release/)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.1, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2016-07-14T00:00:00", "type": "nessus", "title": "Fedora 23 : wordpress (2016-cf91320535)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-4566"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:wordpress", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-CF91320535.NASL", "href": "https://www.tenable.com/plugins/nessus/92166", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2016-cf91320535.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92166);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2016-4566\");\n script_xref(name:\"FEDORA\", value:\"2016-cf91320535\");\n\n script_name(english:\"Fedora 23 : wordpress (2016-cf91320535)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"**WordPress 4.5.2** is now available. This is a security release for\nall previous versions and we strongly encourage you to update your\nsites immediately.\n\nSee the [Release\nannouncement](https://wordpress.org/news/2016/05/wordpress-4-5-2/)\n\n----\n\nVersion 4.5.1 of WordPress is available and fixes 12 bugs. \n\nSee [Release\nannouncement](https://wordpress.org/news/2016/04/wordpress-4-5-1-maint\nenance-release/)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2016-cf91320535\"\n );\n # https://wordpress.org/news/2016/04/wordpress-4-5-1-maintenance-release/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?86580192\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected wordpress package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:wordpress\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"wordpress-4.5.2-1.fc23\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"wordpress\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-08-19T12:41:08", "description": "Versions of WordPress prior to 4.5.2 are affected by multiple vulnerabilities :\n\n - A flaw exists that is triggered when using the 'ephemeral' pseudo protocol, which may allow a context-dependent attacker to delete arbitrary files.\n - A flaw exists in the 'ms' pseudo protocol that is triggered when moving image files. This may allow a context-dependent attacker to move arbitrary files to arbitrary locations.\n - A flaw exists in the 'label' pseudo protocol that is triggered during the handling of a specially crafted image. This may allow a context-dependent attacker to read arbitrary files.\n - A flaw known as 'ImageTragick' is triggered as shell characters are not properly filtered in filenames passed to delegate commands. This may allow a context-dependent attacker to inject arbitrary shell commands and subsequently execute arbitrary code.\n - 'MediaElement.js' contains a flaw that allows a reflected cross-site scripting (XSS) attack. The program does not validate input before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.\n - Plupload contains an unspecified same-origin method execution flaw. No further details have been provided.", "cvss3": {"score": 4.2, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L"}, "published": "2016-07-07T00:00:00", "type": "nessus", "title": "WordPress < 4.5.2 Multiple Vulnerabilities (ImageTragick)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3714", "CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3717", "CVE-2016-4566", "CVE-2016-4567"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*"], "id": "9387.PRM", "href": "https://www.tenable.com/plugins/nnm/9387", "sourceData": "Binary data 9387.prm", "cvss": {"score": 5.8, "vector": "CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2022-03-27T14:56:13", "description": "According to its self-reported version number, the WordPress application running on the remote web server is prior to 4.5.2.\nIt is, therefore, affected by the following vulnerabilities :\n\n - A remote code execution vulnerability, known as ImageTragick, exists in the ImageMagick library due to a failure to properly filter shell characters in filenames passed to delegate commands. A remote attacker can exploit this, via specially crafted images, to inject shell commands and execute arbitrary code.\n (CVE-2016-3714)\n\n - An unspecified flaw exists in the ImageMagick library in the 'ephemeral' pseudo protocol that allows an attacker to delete arbitrary files. (CVE-2016-3715)\n\n - An unspecified flaw exists in the ImageMagick library in the 'ms' pseudo protocol that allows an attacker to move arbitrary files to arbitrary locations. (CVE-2016-3716)\n\n - An unspecified flaw exists in the ImageMagick library in the 'label' pseudo protocol that allows an attacker, via a specially crafted image, to read arbitrary files.\n (CVE-2016-3717)\n\n - A server-side request forgery (SSRF) vulnerability exists due to an unspecified flaw related to request handling between a user and the server. A remote attacker can exploit this, via an MVG file with a specially crafted fill element, to bypass access restrictions and conduct host-based attacks.\n (CVE-2016-3718)\n\n - An unspecified flaw exists in Plupload that allows an attacker to perform a same-origin method execution.\n (CVE-2016-4566)\n\n - A reflected cross-site scripting vulnerability exists in MediaElement.js due to improper validation of user-supplied input. A context-dependent attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-4567)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.4, "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-05-12T00:00:00", "type": "nessus", "title": "WordPress < 4.5.2 Multiple Vulnerabilities (ImageTragick)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-3714", "CVE-2016-3715", "CVE-2016-3716", "CVE-2016-3717", "CVE-2016-3718", "CVE-2016-4566", "CVE-2016-4567"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/a:wordpress:wordpress"], "id": "WORDPRESS_4_5_2.NASL", "href": "https://www.tenable.com/plugins/nessus/91101", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91101);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\n \"CVE-2016-3714\",\n \"CVE-2016-3715\",\n \"CVE-2016-3716\",\n \"CVE-2016-3717\",\n \"CVE-2016-3718\",\n \"CVE-2016-4566\",\n \"CVE-2016-4567\"\n );\n script_bugtraq_id(\n 89848,\n 89849,\n 89852,\n 89861,\n 89866,\n 90300\n );\n script_xref(name:\"CERT\", value:\"250519\");\n script_xref(name:\"EDB-ID\", value:\"39767\");\n script_xref(name:\"EDB-ID\", value:\"39791\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"WordPress < 4.5.2 Multiple Vulnerabilities (ImageTragick)\");\n script_summary(english:\"Checks the version of WordPress.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The PHP application running on the remote web server is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the WordPress\napplication running on the remote web server is prior to 4.5.2.\nIt is, therefore, affected by the following vulnerabilities :\n\n - A remote code execution vulnerability, known as\n ImageTragick, exists in the ImageMagick library due to a\n failure to properly filter shell characters in filenames\n passed to delegate commands. A remote attacker can\n exploit this, via specially crafted images, to inject\n shell commands and execute arbitrary code.\n (CVE-2016-3714)\n\n - An unspecified flaw exists in the ImageMagick library in\n the 'ephemeral' pseudo protocol that allows an attacker\n to delete arbitrary files. (CVE-2016-3715)\n\n - An unspecified flaw exists in the ImageMagick library in\n the 'ms' pseudo protocol that allows an attacker to move\n arbitrary files to arbitrary locations. (CVE-2016-3716)\n\n - An unspecified flaw exists in the ImageMagick library in\n the 'label' pseudo protocol that allows an attacker, via\n a specially crafted image, to read arbitrary files.\n (CVE-2016-3717)\n\n - A server-side request forgery (SSRF) vulnerability\n exists due to an unspecified flaw related to request\n handling between a user and the server. A remote\n attacker can exploit this, via an MVG file with a\n specially crafted fill element, to bypass access\n restrictions and conduct host-based attacks.\n (CVE-2016-3718)\n\n - An unspecified flaw exists in Plupload that allows an\n attacker to perform a same-origin method execution.\n (CVE-2016-4566)\n\n - A reflected cross-site scripting vulnerability exists in\n MediaElement.js due to improper validation of\n user-supplied input. A context-dependent attacker can\n exploit this, via a specially crafted request, to\n execute arbitrary script code in a user's browser\n session. (CVE-2016-4567)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://wordpress.org/news/2016/05/wordpress-4-5-2/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://imagetragick.com/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to WordPress version 4.5.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3714\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/05/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/12\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_detect.nasl\");\n script_require_keys(\"www/PHP\", \"installed_sw/WordPress\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"http.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = \"WordPress\";\nport = get_http_port(default:80, php:TRUE);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { \"fixed_version\":\"3.7.14\", \"fixed_display\" : \"3.7.14 / 4.5.2\" },\n { \"min_version\":\"3.8\", \"fixed_version\":\"3.8.14\", \"fixed_display\" : \"3.8.14 / 4.5.2\" },\n { \"min_version\":\"3.9\", \"fixed_version\":\"3.9.12\", \"fixed_display\" : \"3.9.12 / 4.5.2\" },\n { \"min_version\":\"4.0\", \"fixed_version\":\"4.0.11\", \"fixed_display\" : \"4.0.11 / 4.5.2\" },\n { \"min_version\":\"4.1\", \"fixed_version\":\"4.1.11\", \"fixed_display\" : \"4.1.11 / 4.5.2\" },\n { \"min_version\":\"4.2\", \"fixed_version\":\"4.2.8\", \"fixed_display\" : \"4.2.8 / 4.5.2\" },\n { \"min_version\":\"4.3\", \"fixed_version\":\"4.3.4\", \"fixed_display\" : \"4.3.4 / 4.5.2\" },\n { \"min_version\":\"4.4\", \"fixed_version\":\"4.4.3\", \"fixed_display\" : \"4.4.3 / 4.5.2\" },\n { \"min_version\":\"4.5\", \"fixed_version\":\"4.5.2\", \"fixed_display\" : \"4.5.2\" }\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{xss:TRUE}\n);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2022-01-19T15:51:32", "description": "\n\nHelen Hou-Sandi reports:\n\nWordPress 4.5.2 is now available. This is a security release for\n\t all previous versions and we strongly encourage you to update your\n\t sites immediately.\nWordPress versions 4.5.1 and earlier are affected by a SOME\n\t vulnerability through Plupload, the third-party library WordPress\n\t uses for uploading files. WordPress versions 4.2 through 4.5.1 are\n\t vulnerable to reflected XSS using specially crafted URIs through\n\t MediaElement.js, the third-party library used for media players.\n\t MediaElement.js and Plupload have also released updates fixing\n\t these issues.\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2016-05-06T00:00:00", "type": "freebsd", "title": "wordpress -- multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4566", "CVE-2016-4567"], "modified": "2016-05-06T00:00:00", "id": "3686917B-164D-11E6-94FA-002590263BF5", "href": "https://vuxml.freebsd.org/freebsd/3686917b-164d-11e6-94fa-002590263bf5.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "patchstack": [{"lastseen": "2022-04-20T20:08:17", "description": "This vulnerability in flash/FlashMediaElement.as in MediaElement.js allows an attacker to inject arbitrary web script or HTML via the query string.\n\n## Solution\n\nUpdate WordPress.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2016-05-07T00:00:00", "type": "patchstack", "title": "WordPress <= 2.20.9 - XSS", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4567"], "modified": "2016-05-07T00:00:00", "id": "PATCHSTACK:58E11365659AAEBBF295166A52CBE214", "href": "https://patchstack.com/database/vulnerability/wordpress/wordpress-2-20-9-xss", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-04-20T20:08:17", "description": "This vulnerability in plupload.flash.swf in Plupload before 2.1.9 allows an attacker to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.\n\n## Solution\n\nUpdate WordPress.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2016-05-07T00:00:00", "type": "patchstack", "title": "WordPress <= 4.5.1 - XSS", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4566"], "modified": "2016-05-07T00:00:00", "id": "PATCHSTACK:16679D3805E7964384A473C792D38E79", "href": "https://patchstack.com/database/vulnerability/wordpress/wordpress-4-5-1-xss", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:43:17", "description": "A cross-site scripting vulnerability exists in WordPress Core Flash File. Successful exploitation of this vulnerability would allow remote attackers to inject an arbitrary web script into the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2016-05-17T00:00:00", "type": "checkpoint_advisories", "title": "WordPress Core Flash File Cross-Site Scripting (CVE-2016-4567)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4567"], "modified": "2016-05-18T00:00:00", "id": "CPAI-2016-0359", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-12-17T11:43:16", "description": "A same-origin method execution vulnerability exists in WordPress Core Flash File. Successful exploitation of this vulnerability would allow remote attackers to inject an arbitrary web script into the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2016-05-18T00:00:00", "type": "checkpoint_advisories", "title": "WordPress Core Flash File Same-Origin Method Execution (CVE-2016-4566)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4566"], "modified": "2016-05-19T00:00:00", "id": "CPAI-2016-0361", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "wpvulndb": [{"lastseen": "2021-02-15T21:55:18", "description": "\n", "cvss3": {}, "published": "2016-05-06T00:00:00", "type": "wpvulndb", "title": "WordPress 4.2-4.5.1 - MediaElement.js Reflected Cross-Site Scripting (XSS)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-4567"], "modified": "2020-09-22T07:16:03", "id": "WPVDB-ID:60556C39-6FE7-4B69-A614-16202BA588AD", "href": "https://wpscan.com/vulnerability/60556c39-6fe7-4b69-a614-16202ba588ad", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-02-15T21:58:50", "description": "Affects 'wp-includes/js/plupload/plupload.flash.swf'\n", "cvss3": {}, "published": "2016-05-06T00:00:00", "type": "wpvulndb", "title": "WordPress <= 4.5.1 - Pupload Same Origin Method Execution (SOME)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-4566"], "modified": "2020-09-22T07:16:04", "id": "WPVDB-ID:A82A6C6F-1787-4ADC-84DD-3151F1EDFD06", "href": "https://wpscan.com/vulnerability/a82a6c6f-1787-4adc-84dd-3151f1edfd06", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T14:05:23", "description": "Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by \"jsinitfunctio%gn.\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2016-05-22T01:59:00", "type": "cve", "title": "CVE-2016-4567", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4567"], "modified": "2016-12-02T23:01:00", "cpe": ["cpe:/a:wordpress:wordpress:4.5.1", "cpe:/a:mediaelementjs:mediaelement.js:2.20.1"], "id": "CVE-2016-4567", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4567", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:wordpress:wordpress:4.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:mediaelementjs:mediaelement.js:2.20.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T14:05:21", "description": "Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2016-05-22T01:59:00", "type": "cve", "title": "CVE-2016-4566", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4566"], "modified": "2016-12-02T22:56:00", "cpe": ["cpe:/a:plupload:plupload:2.1.8", "cpe:/a:wordpress:wordpress:4.5.1"], "id": "CVE-2016-4566", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4566", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:wordpress:wordpress:4.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:plupload:plupload:2.1.8:*:*:*:*:*:*:*"]}], "ubuntucve": [{"lastseen": "2022-01-23T12:12:49", "description": "Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in\nMediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows\nremote attackers to inject arbitrary web script or HTML via an obfuscated\nform of the jsinitfunction parameter, as demonstrated by\n\"jsinitfunctio%gn.\"\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823649>\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2016-05-22T00:00:00", "type": "ubuntucve", "title": "CVE-2016-4567", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4567"], "modified": "2016-05-22T00:00:00", "id": "UB:CVE-2016-4567", "href": "https://ubuntu.com/security/CVE-2016-4567", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-11-22T21:46:50", "description": "Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload\nbefore 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to\ninject arbitrary web script or HTML via a Same-Origin Method Execution\n(SOME) attack.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823640>\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2016-05-22T00:00:00", "type": "ubuntucve", "title": "CVE-2016-4566", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4566"], "modified": "2016-05-22T00:00:00", "id": "UB:CVE-2016-4566", "href": "https://ubuntu.com/security/CVE-2016-4566", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2021-12-14T17:50:33", "description": "Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by \"jsinitfunctio%gn.\"", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2016-05-22T01:59:00", "type": "debiancve", "title": "CVE-2016-4567", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4567"], "modified": "2016-05-22T01:59:00", "id": "DEBIANCVE:CVE-2016-4567", "href": "https://security-tracker.debian.org/tracker/CVE-2016-4567", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-04-08T07:41:56", "description": "Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2016-05-22T01:59:00", "type": "debiancve", "title": "CVE-2016-4566", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4566"], "modified": "2016-05-22T01:59:00", "id": "DEBIANCVE:CVE-2016-4566", "href": "https://security-tracker.debian.org/tracker/CVE-2016-4566", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "debian": [{"lastseen": "2021-10-23T22:48:58", "description": "\nCraig Small <csmall@debian.org> uploaded new packages for wordpress\nwhich fixed the following securty problems:\n\nCVE-2016-4566 Reflected XSS in PLupload and mediaelement\n\nFor the jessie-backports distribution the problems have been fixed in\nversion 4.5.2+dfsg-1~bpo8+1\n\n-- \nCraig Small (@smallsees) http://enc.com.au/ csmall at : enc.com.au\nDebian GNU/Linux http://www.debian.org/ csmall at : debian.org\nGPG fingerprint: 5D2F B320 B825 D939 04D2 0519 3938 F96B DF50 FEA5\nAttachment:\nsignature.asc\nDescription: PGP signature\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2016-05-11T11:04:02", "type": "debian", "title": "[BSA-110] Security Update for wordpress", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4566"], "modified": "2016-05-11T11:04:02", "id": "DEBIAN:BSA-110:3C6DE", "href": "https://lists.debian.org/debian-backports-announce/2016/05/msg00000.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}