Lucene search

GoogleOSV:BIT-WORDPRESS-2024-31211

HistoryApr 06, 2024 - 6:33 p.m.

BIT-wordpress-2024-31211

2024-04-0618:33:49

Google

osv.dev

wordpress

vulnerability

code execution

wp_html_token

unserialization

6.4.2

5.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

9.0%

JSON

WordPress is an open publishing platform for the Web. Unserialization of instances of the WP_HTML_Token class allows for code execution via its __destruct() magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.

CPENameOperatorVersion
wordpressge6.4.0
wordpresslt6.4.2

CPE	Name	Operator	Version
	wordpress	ge	6.4.0
	wordpress	lt	6.4.2

References

github.com/WordPress/wordpress-develop/security/advisories/GHSA-m257-q4m5-j653

5.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for OSV:BIT-WORDPRESS-2024-31211