WordPress Multiple Input Validation Vulnerabilities
BID:25161
Info
WordPress Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 25161 |
| Class: | Input Validation Error |
| CVE: |
CVE-2007-3238 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 01 2007 12:00AM |
| Updated: | Feb 22 2008 02:23PM |
| Credit: | Benjamin Flesch is credited with the discovery of these vulnerabilities. |
| Vulnerable: |
WordPress WordPress 2.2.1 Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4.0 mipsel Debian Linux 4.0 mips Debian Linux 4.0 m68k Debian Linux 4.0 ia-64 Debian Linux 4.0 ia-32 Debian Linux 4.0 hppa Debian Linux 4.0 arm Debian Linux 4.0 amd64 Debian Linux 4.0 alpha Debian Linux 4.0 |
| Not Vulnerable: | |
Discussion
WordPress Multiple Input Validation Vulnerabilities
WordPress is prone to multiple input-validation vulnerabilities because the application fails to sanitize user-supplied input. These issues include multiple cross-site scripting vulnerabilities, an HTML-injection vulnerability, and multiple SQL-injection vulnerabilities.
A successful exploit may allow an attacker to steal cookie-based authentication credentials, execute malicious script code, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
WordPress 2.2.1 is vulnerable; other versions may also be affected.
WordPress is prone to multiple input-validation vulnerabilities because the application fails to sanitize user-supplied input. These issues include multiple cross-site scripting vulnerabilities, an HTML-injection vulnerability, and multiple SQL-injection vulnerabilities.
A successful exploit may allow an attacker to steal cookie-based authentication credentials, execute malicious script code, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
WordPress 2.2.1 is vulnerable; other versions may also be affected.
Exploit / POC
WordPress Multiple Input Validation Vulnerabilities
To exploit a cross-site scripting vulnerability, an attacker entices an unsuspecting victim to follow a malicious URI. The attacker can exploit HTML-injection and SQL-injection vulnerabilities through a browser.
To exploit a cross-site scripting vulnerability, an attacker entices an unsuspecting victim to follow a malicious URI. The attacker can exploit HTML-injection and SQL-injection vulnerabilities through a browser.
Solution / Fix
WordPress Multiple Input Validation Vulnerabilities
Solution:
Vendor fixes are available. Please see the references for more information.
Solution:
Vendor fixes are available. Please see the references for more information.
References
WordPress Multiple Input Validation Vulnerabilities
References:
References:
- WordPress Homepage (WordPress)
- Wordpress ZeroDay Vulnerability Roundhouse Kick and why I nearly wrote the first (Wordpress)