WordPress Multiple Vulnerabilities
Last Update Date:
26 Jun 2013 10:56
Release Date:
26 Jun 2013
4078
Views
RISK: Medium Risk
TYPE: Servers - Other Servers
Multiple vulnerabilities have been identified in WordPress. A remote authenticated user can obtain elevated privileges on the target application, conduct cross-site scripting and request forgery attacks, and determine the upload path.
- A remote user can conduct server-side request forgery (SSRF) attacks via the HTTP API to potentially access the target site.
- A remote authenticated user with contributor privileges can publish posts and reassign the ownership of posts.
- A remote user can conduct cross-site scripting attacks via SWFUpload, when uploading media, editing media and when installing or updating plugins and themes.
- A remote user can spoof content via a Flash applet due to a flaw in the TinyMCE Media Plugin
- A remote user can determine the full upload path during file upload
- A remote user can conduct an XML external entity (XXE) injection attack via oEmbed to obtain potentially sensitive information
Impact
- Cross-Site Scripting
- Elevation of Privilege
System / Technologies affected
- Versions prior to 3.5.2
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- The vendor has issued a fix (3.5.2).
Vulnerability Identifier
Source
Related Link
Share with