5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
WordPress 4.2.3 is prone to a cross site scripting and SQL injection vulnerabilities that exist because the sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php does not use a constant-time comparison for widgets. In this way an attacker can execute a timing side-channel attack by measuring the delay before inequality is calculated.
Update WordPress.