4.9 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
This WordPress vulnerability was found in the way that WordPress handles some URL
requests. It results the content of plugins configuration pages in some plugins modifying plugin options, unprivileged users viewing and injecting JavaScript code.
The code is abitrary and it may be run by a malicious attacker, if the administrator of the blog runs injected JavasScript code that edits blogโs PHP code. Most of all the blogs that are powered by WordPress and hosted outside โWordPress.comโ, let any person to create unprivileged users that are called subscribers.
Also, there disclosure of important usernameโs information were found in WordPress.
A vulnerability may be mitigated by controlling access to file that is inside the "wp-admin" folder. It can be done by using Apache access control mechanism, in other words, ".htaccess" file.