Description

WordPress is prone to multiple vulnerabilities, including remote code execution, security bypass and open redirect vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary code with the privileges of the user running the application, to compromise the application or the underlying database, to access or modify data, to compromise a vulnerable system, to perform otherwise restricted actions and subsequently create posts "written by" another user or to redirect users to arbitrary web sites and conduct phishing attacks. WordPress versions prior to 3.6.1 are vulnerable.

Remediation

Update to WordPress version 3.6.1 or latest

References

https://vagosec.org/2013/09/wordpress-php-object-injection/

https://vagosec.org/2013/12/wordpress-rce-exploit/

http://seclists.org/fulldisclosure/2013/Dec/174

https://wordpress.org/news/2013/09/wordpress-3-6-1/

Related Vulnerabilities

PleskLin URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2023-24044)

WordPress Plugin DukaPress SQL Injection (2.5.9)

WordPress Plugin WP-FeedStats de HTML Injection (2.3)

WordPress Plugin Gmedia Photo Gallery Multiple Cross-Site Scripting Vulnerabilities (1.18.4)

WordPress Plugin Contact Form 7 Dynamic Text Extension Cross-Site Scripting (2.0.2.1)

Severity

High

Classification

CVE-2013-4338 CVE-2013-4339 CVE-2013-4340 CVE-2013-5738 CVE-2013-5739 CWE-20 CWE-94 CWE-264 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Tags

Missing Update