Description

WordPress is prone to multiple vulnerabilities, including remote code execution, security bypass and open redirect vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary code with the privileges of the user running the application, to compromise the application or the underlying database, to access or modify data, to compromise a vulnerable system, to perform otherwise restricted actions and subsequently create posts "written by" another user or to redirect users to arbitrary web sites and conduct phishing attacks. WordPress versions prior to 3.6.1 are vulnerable.

Remediation

Update to WordPress version 3.6.1 or latest

References

https://vagosec.org/2013/09/wordpress-php-object-injection/

https://vagosec.org/2013/12/wordpress-rce-exploit/

http://seclists.org/fulldisclosure/2013/Dec/174

https://wordpress.org/news/2013/09/wordpress-3-6-1/

Related Vulnerabilities

Chamilo Unrestricted Upload of File with Dangerous Type Vulnerability (CVE-2019-13082)

WordPress Plugin BackUpWordPress Remote File Inclusion (0.4.2b)

Oracle Application Server CVE-2006-5359 Vulnerability (CVE-2006-5359)

WordPress Plugin Import all XML, CSV & TXT into WordPress Cross-Site Scripting (3.8.7)

Werkzeug WSGI Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2019-14322)

Severity

High

Classification

CVE-2013-4338 CVE-2013-4339 CVE-2013-4340 CVE-2013-5738 CVE-2013-5739 CWE-20 CWE-94 CWE-264 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update