7.5

CVE-2017-5493

EPSS 1.67%
Published 15.01.2017 02:59:03
Last modified 20.04.2025 01:37:25
Source cve@mitre.org
Teams watchlist Login
Open Login

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

Affected products Warnungen 0 Metrics 3 CWE 1 References 11

Data is provided by the National Vulnerability Database (NVD)

Wordpress ≫ Wordpress Version <= 4.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.67%	0.815

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

http://www.openwall.com/lists/oss-security/2017/01/14/6

Third Party Advisory

Mailing List

http://www.securitytracker.com/id/1037591

https://codex.wordpress.org/Version_4.7.1

Vendor Advisory

Release Notes

https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/

Vendor Advisory

http://www.debian.org/security/2017/dsa-3779

http://www.securityfocus.com/bid/95401

https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4

Patch

https://wpvulndb.com/vulnerabilities/8721

https://nvd.nist.gov/vuln/detail/CVE-2017-5493

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-5493

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-5493

EUVD