Description

WordPress is prone to multiple vulnerabilities, including remote code execution, security bypass and open redirect vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary code with the privileges of the user running the application, to compromise the application or the underlying database, to access or modify data, to compromise a vulnerable system, to perform otherwise restricted actions and subsequently create posts "written by" another user or to redirect users to arbitrary web sites and conduct phishing attacks. WordPress versions prior to 3.6.1 are vulnerable.

Remediation

Update to WordPress version 3.6.1 or latest

References

https://vagosec.org/2013/09/wordpress-php-object-injection/

https://vagosec.org/2013/12/wordpress-rce-exploit/

http://seclists.org/fulldisclosure/2013/Dec/174

https://wordpress.org/news/2013/09/wordpress-3-6-1/

Related Vulnerabilities

WordPress Plugin Agent Storm by StormRETS Multiple Cross-Site Scripting Vulnerabilities (1.1.35)

Joomla! Core 2.5.x Cross-Site Scripting (2.5.0 - 2.5.14)

Liferay Portal Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2021-29053)

WordPress Plugin Sociable Cross-Site Scripting (4.3.4.1)

WordPress Plugin All in One SEO-Best WordPress SEO-Easily Improve SEO Rankings & Increase Traffic Cross-Site Scripting (3.2.6)

Severity

High

Classification

CVE-2013-4338 CVE-2013-4339 CVE-2013-4340 CVE-2013-5738 CVE-2013-5739 CWE-20 CWE-94 CWE-264 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update