WordPress Multiple Vulnerabilities

Last Update Date: 26 Jun 2013 10:56 Release Date: 26 Jun 2013 3412 Views

RISK: Medium Risk

Medium Risk

TYPE: Servers - Other Servers

TYPE: Other Servers

Multiple vulnerabilities have been identified in WordPress. A remote authenticated user can obtain elevated privileges on the target application, conduct cross-site scripting and request forgery attacks, and determine the upload path.

  1. A remote user can conduct server-side request forgery (SSRF) attacks via the HTTP API to potentially access the target site.
  2. A remote authenticated user with contributor privileges can publish posts and reassign the ownership of posts.
  3. A remote user can conduct cross-site scripting attacks via SWFUpload, when uploading media, editing media and when installing or updating plugins and themes.
  4. A remote user can spoof content via a Flash applet due to a flaw in the TinyMCE Media Plugin
  5. A remote user can determine the full upload path during file upload
  6. A remote user can conduct an XML external entity (XXE) injection attack via oEmbed to obtain potentially sensitive information

Impact

  • Cross-Site Scripting
  • Elevation of Privilege

System / Technologies affected

  • Versions prior to 3.5.2

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • The vendor has issued a fix (3.5.2).

Vulnerability Identifier

Source

Related Link

Share with

Previous

cURL Heap Overflow Vulnerability

25 Jun 2013 3391 Views

Next

Cisco Products Multiple Vulnerabilities

27 Jun 2013 3527 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY