WordPress through 4.8.2, when domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file.

According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities :

 - Weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values.

 - When domain-based flashmediaelement.swf sandboxing is not used, allows remote attackers to conduct cross-domain Flash injection (XSF) attacks by leveraging code contained within the wp-includes/js/mediaelement/flashmediaelement.swf file.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the WordPress application running on the remote web server is prior to 4.8.3.
It is, therefore, affected by a SQL Injection vulnerability and other vulnerabilities:

  - WordPress through 4.8.2 uses a weak MD5-based     password hashing algorithm, which makes it easier for     attackers to determine cleartext values by leveraging     access to the hash values.

  - WordPress through 4.8.2, when domain-based     flashmediaelement.swf sandboxing is not used, allows     remote attackers to conduct cross-domain Flash     injection (XSF) attacks by leveraging code contained     within the wp-includes/js/mediaelement/flashmediaelement.swf     file.

ID	Name	Product	Family	Severity
98317	WordPress 3.7.x < 3.7.23 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98316	WordPress 3.8.x < 3.8.23 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98315	WordPress 3.9.x < 3.9.21 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98314	WordPress 4.0.x < 4.0.20 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98313	WordPress 4.1.x < 4.1.20 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98312	WordPress 4.2.x < 4.2.17 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98311	WordPress 4.3.x < 4.3.13 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98310	WordPress 4.4.x < 4.4.12 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98309	WordPress 4.5.x < 4.5.11 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98308	WordPress 4.6.x < 4.6.8 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98307	WordPress 4.7.x < 4.7.7 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98306	WordPress 4.8.x < 4.8.3 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
104356	WordPress < 4.8.3 Multiple Vulnerabilities	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2016-9263

medium

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical