CVE-2007-4893

medium

Description

wp-admin/admin-functions.php in Wordpress before 2.2.3 and Wordpress multi-user (MU) before 1.2.5a does not properly verify the unfiltered_html privilege, which allows remote attackers to conduct cross-site scripting (XSS) attacks via modified data to (1) post.php or (2) page.php with a no_filter field.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/36576

https://bugzilla.redhat.com/show_bug.cgi?id=285831

http://www.vupen.com/english/advisories/2007/3132

http://www.securityfocus.com/bid/25639

http://wordpress.org/development/2007/09/wordpress-223/

http://trac.wordpress.org/ticket/4720

http://secunia.com/advisories/26796

http://secunia.com/advisories/26771

http://fedoranews.org/updates/FEDORA-2007-214.shtml

Details

Source: Mitre, NVD

Published: 2007-09-14

Updated: 2017-07-29

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium