WordPress Multiple Security Vulnerabilities
BID:69096
Info
WordPress Multiple Security Vulnerabilities
| Bugtraq ID: | 69096 |
| Class: | Unknown |
| CVE: |
CVE-2014-2053 CVE-2014-5203 CVE-2014-5204 CVE-2014-5205 CVE-2014-5240 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 06 2014 12:00AM |
| Updated: | Apr 13 2015 09:28PM |
| Credit: | Nir Goldshlager, Alex Concha, Ivan Novikov, and David Tomaschik. |
| Vulnerable: |
WordPress WordPress 3.9.1 WordPress WordPress 3.8.2 WordPress WordPress 3.8.1 WordPress WordPress 3.7.1 WordPress WordPress 3.6.1 WordPress WordPress 3.6 WordPress WordPress 3.5.2 WordPress WordPress 3.5.1 WordPress WordPress 3.3.2 WordPress WordPress 3.2.2 WordPress WordPress 3.1.4 WordPress WordPress 3.1.3 WordPress WordPress 3.1.2 WordPress WordPress 3.1.1 WordPress WordPress 3.0.5 WordPress WordPress 3.0.4 WordPress WordPress 3.0.3 WordPress WordPress 3.0.2 WordPress WordPress 2.9.2 WordPress WordPress 2.9.1 WordPress WordPress 2.8.6 WordPress WordPress 2.8.5 WordPress WordPress 2.8.4 WordPress WordPress 2.8.3 WordPress WordPress 2.8.2 WordPress WordPress 2.8.1 WordPress WordPress 2.6.5 WordPress WordPress 2.6.2 WordPress WordPress 2.6.1 WordPress WordPress 2.5.1 WordPress WordPress 2.3.3 WordPress WordPress 2.3.2 WordPress WordPress 2.3.1 WordPress WordPress 2.2.3 WordPress WordPress 2.2.2 WordPress WordPress 2.2.1 WordPress WordPress 2.1.3 WordPress WordPress 2.1.2 WordPress WordPress 2.1.1 WordPress WordPress 2.0.11 WordPress WordPress 2.0.10 WordPress WordPress 2.0.7 WordPress WordPress 2.0.6 WordPress WordPress 2.0.5 WordPress WordPress 2.0.4 WordPress WordPress 2.0.3 WordPress WordPress 2.0.2 WordPress WordPress 2.0.1 WordPress WordPress 2.0 WordPress WordPress 1.5.2 WordPress WordPress 1.5.1 .3 WordPress WordPress 1.5.1 .2 WordPress WordPress 1.5.1 WordPress WordPress 1.5 WordPress WordPress 1.3.1 WordPress WordPress 1.2.2 WordPress WordPress 1.2.1 WordPress WordPress 1.2 WordPress WordPress 0.7 WordPress WordPress 3.9 WordPress WordPress 3.8 WordPress WordPress 3.7 WordPress WordPress 3.6 WordPress WordPress 3.5.0 WordPress WordPress 3.5 WordPress WordPress 3.4.2 WordPress WordPress 3.4.1 WordPress WordPress 3.4.0 WordPress WordPress 3.4 WordPress WordPress 3.3.3 WordPress WordPress 3.3.1 WordPress WordPress 3.3 WordPress WordPress 3.2.1 WordPress WordPress 3.2-RC3 WordPress WordPress 3.2-RC1 WordPress WordPress 3.2 Beta1 WordPress WordPress 3.2 WordPress WordPress 3.1 WordPress WordPress 3.0.6 WordPress WordPress 3.0.1 WordPress WordPress 2.9.1.1 WordPress WordPress 2.9 WordPress WordPress 2.8.5.2 WordPress WordPress 2.8.5.1 WordPress WordPress 2.8 WordPress WordPress 2.7.1 WordPress WordPress 2.7 WordPress WordPress 2.6.3 WordPress WordPress 2.6 WordPress WordPress 2.5 WordPress WordPress 2.3 WordPress WordPress 2.2 WordPress WordPress 2.1 WordPress WordPress 2.0.9 WordPress WordPress 2.0.8 WordPress WordPress 1.6.2 WordPress WordPress 1.5.1.1 WordPress WordPress 1.5 WordPress WordPress 1.3.3 WordPress WordPress 1.3.2 WordPress WordPress 1.3 WordPress WordPress 1.2.5 WordPress WordPress 1.2.4 WordPress WordPress 1.2.3 WordPress WordPress 1.1.1 WordPress WordPress 1.0.2 WordPress WordPress 1.0.1 WordPress WordPress 0.71 Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64 |
| Not Vulnerable: |
WordPress WordPress 3.9.2 |
Discussion
WordPress Multiple Security Vulnerabilities
WordPress is prone to multiple security vulnerabilities including:
1. A remote code-execution vulnerability
2. An unspecified cross-site scripting vulnerability
3. A denial-of-service vulnerability
4. An information-disclosure vulnerability
5. A cross-site request-forgery vulnerability
An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, to steal cookie-based authentication credentials, to disclose sensitive information, to execute arbitrary code, to perform unauthorized actions in the context of a user's session, or to cause denial-of-service conditions. Other attacks are also possible.
Versions prior to WordPress 3.9.2 are vulnerable.
WordPress is prone to multiple security vulnerabilities including:
1. A remote code-execution vulnerability
2. An unspecified cross-site scripting vulnerability
3. A denial-of-service vulnerability
4. An information-disclosure vulnerability
5. A cross-site request-forgery vulnerability
An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, to steal cookie-based authentication credentials, to disclose sensitive information, to execute arbitrary code, to perform unauthorized actions in the context of a user's session, or to cause denial-of-service conditions. Other attacks are also possible.
Versions prior to WordPress 3.9.2 are vulnerable.
Exploit / POC
WordPress Multiple Security Vulnerabilities
Attackers can exploit some of these issues through a browser. To exploit the cross-site scripting and cross-site request-forgery issues, an attacker must entice an unsuspecting user into following a malicious URI.
Attackers can exploit some of these issues through a browser. To exploit the cross-site scripting and cross-site request-forgery issues, an attacker must entice an unsuspecting user into following a malicious URI.
Solution / Fix
WordPress Multiple Security Vulnerabilities
Solution:
Updates are available. Please see the references or vendor advisory for more information.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
References
WordPress Multiple Security Vulnerabilities
References:
References:
- WordPress 3.9.2 Security Release (WordPress)
- WordPress HomePage (WordPress)