7.5

CVE-2017-9065

WordPress Core < 4.7.5 - Authorization Bypass Allowing Post Meta Updates

In WordPress before 4.7.5, there is a lack of capability checks for post meta data in the XML-RPC API.
Mögliche Gegenmaßnahme
WordPress: Update to one of the following versions, or a newer patched version: 3.7.21, 3.8.21, 3.9.19, 4.0.18, 4.1.18, 4.2.15, 4.3.11, 4.4.10, 4.5.9, 4.6.6, 4.7.5
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
WordpressWordpress Version <= 4.7.4
DebianDebian Linux Version8.0
DebianDebian Linux Version9.0
Weitere Schwachstelleninformationen
SystemWordPress Core
Produkt WordPress
Version [*, 3.7)
Version 3.7-3.7.20
Version 3.8-3.8.20
Version 3.9-3.9.18
Version 4.0-4.0.17
Version 4.1-4.1.17
Version 4.2-4.2.14
Version 4.3-4.3.10
Version 4.4-4.4.9
Version 4.5-4.5.8
Version 4.6-4.6.5
Version 4.7-4.7.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.08% 0.894
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:P/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://www.debian.org/security/2017/dsa-3870
Third Party Advisory
http://www.securityfocus.com/bid/98509
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1038520
Third Party Advisory
VDB Entry
https://codex.wordpress.org/Version_4.7.5
Patch
Vendor Advisory
Release Notes
https://wordpress.org/news/2017/05/wordpress-4-7-5/
Patch
Vendor Advisory
https://github.com/WordPress/WordPress/commit/e88a48a066ab2200ce3091b131d43e2fab2460a4
Patch
Third Party Advisory
https://wpvulndb.com/vulnerabilities/8817
Patch
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/801d6f21-1f52-48d4-9f8e-5c971dd037f7
Third Party Advisory