Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-     actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read     certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated     by /dev/random read operations that deplete the entropy pool. (CVE-2016-6896)

Note that Nessus relies on the presence of the package as reported by the vendor.

Versions of WordPress 4.5.x prior to 4.6 are affected by multiple vulnerabilities :

 - A path traversal vulnerability exists in the WordPress Admin API in the 'wp_ajax_update_plugin()' function in 'ajax-actions.php' due to improper sanitization of user-supplied input.  An authenticated, remote attacker can exploit this, via a specially crafted request, to cause a denial of service condition. (CVE-2016-6896)
 - A cross-site request forgery vulnerability (CSRF/XSRF) exists in the 'admin-ajax.php' script due to a failure to require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions.  An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted link, to perform arbitrary AJAX updates. (CVE-2016-6897)
 - An information disclosure vulnerability exists in the 'wp_ajax_update_plugin()' function in the 'ajax-actions.php' script due to performing a call to 'get_plug_data()' before checking capabilities.  An authenticated, remote attacker can exploit this to bypass intended read-access restrictions, resulting in a disclosure of sensitive information. (CVE-2016-10148)

See upstream announcement: [WordPress 4.6 &ldquo;Pepper&rdquo;](https://wordpress.org/news/2016/08/pepper/)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

See upstream announcements :

  - [WordPress 4.6     &ldquo;Pepper&rdquo;](https://wordpress.org/news/2016/08     /pepper/)

  - [WordPress 4.6.1 Security and Maintenance     Release](https://wordpress.org/news/2016/09/wordpress-4-     6-1-security-and-maintenance-release/)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the WordPress application running on the remote web server is prior to 4.6. It is, therefore, affected by multiple vulnerabilities :

  - A path traversal vulnerability exists in the WordPress     Admin API in the wp_ajax_update_plugin() function in     ajax-actions.php due to improper sanitization of     user-supplied input. An authenticated, remote attacker     can exploit this, via a specially crafted request, to     cause a denial of service condition. (CVE-2016-6896)

  - A cross-site request forgery vulnerability (XSRF) exists     in the admin-ajax.php script due to a failure to require     multiple steps, explicit confirmation, or a unique token     when performing certain sensitive actions. An     unauthenticated, remote attacker can exploit this, by     convincing a user to follow a specially crafted link, to     perform arbitrary AJAX updates. (CVE-2016-6897)

  - An information disclosure vulnerability exists in the     wp_ajax_update_plugin() function in the ajax-actions.php     script due to performing a call to get_plug_data()     before checking capabilities. An authenticated, remote     attacker can exploit this to bypass intended read-access     restrictions, resulting in a disclosure of sensitive     information. (CVE-2016-10148)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
254485	Linux Distros Unpatched Vulnerability : CVE-2016-6896	Nessus	Misc.	high
9949	WordPress 4.5.x < 4.6 Multiple Vulnerabilities	Nessus Network Monitor	CGI	medium
94825	Fedora 25 : wordpress (2016-80a1d6211a)	Nessus	Fedora Local Security Checks	high
93633	Fedora 24 : wordpress (2016-a8657278bf)	Nessus	Fedora Local Security Checks	high
93630	Fedora 23 : wordpress (2016-91bfe9ddb8)	Nessus	Fedora Local Security Checks	high
93111	WordPress < 4.6 Multiple Vulnerabilities	Nessus	CGI abuses	high

Detections

Analytics

CVE-2016-6896

high

Tenable Plugins

high

medium

high

high

high

high