WordPress Multiple Vulnerabilities (Security Release) - December 2018 (Linux)

Published: 2018-12-17 13:16:22
CVE Author: NIST National Vulnerability Database (NVD)

CVSS Base Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Summary:
This host is running WordPress and is prone to multiple vulnerabilities.

Detection Method:
Checks if a vulnerable version is present on the target host.

Technical Details:
The following vulnerabilities exist: - Authors could alter meta data to delete files that they weren't authorized to. - Authors could create posts of unauthorized post types with specially crafted input. - Contributors could craft meta data in a way that resulted in PHP object injection. - Contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting vulnerability. - Specially crafted URL inputs could lead to a cross-site scripting vulnerability in some circumstances. WordPress itself was not affected, but plugins could be in some situations. - The user activation screen could be indexed by search engines in some uncommon configurations, leading to exposure of email addresses, and in some rare cases, default generated passwords. - Authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting vulnerability.

Affected Versions:
All versions since WordPress 3.7 up to 5.0.

Recommendations:
The issues have been fixed in version 5.0.1. Updated versions of WordPress 4.9 and older releases are also available. Please see the references for more information.

Solution Type:
Vendor Patch

Detection Type:
Remote Banner Unreliable

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2018-20147
https://nvd.nist.gov/vuln/detail/CVE-2018-20148
https://nvd.nist.gov/vuln/detail/CVE-2018-20149
https://nvd.nist.gov/vuln/detail/CVE-2018-20150
https://nvd.nist.gov/vuln/detail/CVE-2018-20151
https://nvd.nist.gov/vuln/detail/CVE-2018-20152
https://nvd.nist.gov/vuln/detail/CVE-2018-20153

SecurityFocus Bugtraq ID:

https://www.securityfocus.com/bid/106220

References:

https://wordpress.org/news/2018/12/wordpress-5-0-1-security-release/
https://wordpress.org/download/releases/

Search
Severity
High
CVSS Score
7.5

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities. It is free and always will be.