6.1

CVE-2015-5714

WordPress Core < 4.3.1 - Cross-Site Scripting via Shortcodes

Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags.
Mögliche Gegenmaßnahme
WordPress: Update to one of the following versions, or a newer patched version: 3.7.11, 3.8.11, 3.9.9, 4.0.8, 4.1.8, 4.2.5, 4.3.1
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WordpressWordpress Version <= 4.3.0
Weitere Schwachstelleninformationen
SystemWordPress Core
Produkt WordPress
Version [*, 3.7)
Version 3.7-3.7.10
Version 3.8-3.8.10
Version 3.9-3.9.8
Version 4.0-4.0.7
Version 4.1-4.1.7
Version 4.2-4.2.4
Version 4.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 6.39% 0.928
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://www.debian.org/security/2015/dsa-3383
http://www.debian.org/security/2015/dsa-3375
http://www.securityfocus.com/bid/76745
http://www.securitytracker.com/id/1033979
https://codex.wordpress.org/Version_4.3.1
Patch
https://github.com/WordPress/WordPress/commit/f72b21af23da6b6d54208e5c1d65ececdaa109c8
https://security-tracker.debian.org/tracker/CVE-2015-5714
https://wordpress.org/news/2015/09/wordpress-4-3-1/
Patch
Vendor Advisory
https://wpvulndb.com/vulnerabilities/8186
https://www.wordfence.com/threat-intel/vulnerabilities/id/4c1f4487-c684-4602-9b93-e547e2d38a64
Third Party Advisory