Lucene search

PRIOn knowledge basePRION:CVE-2017-17091

HistoryDec 02, 2017 - 6:29 a.m.

Design/Logic Flaw

2017-12-0206:29:00

PRIOn knowledge base

www.prio-n.com

8.5 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.8%

JSON

wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string.

CPENameOperatorVersion
wordpressle4.9

CPE	Name	Operator	Version
	wordpress	le	4.9

References

www.securityfocus.com/bid/102024

codex.wordpress.org/Version_4.9.1

github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c

lists.debian.org/debian-lts-announce/2017/12/msg00019.html

wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/

wpvulndb.com/vulnerabilities/8969

www.debian.org/security/2018/dsa-4090