DSA-3779

[oss-security] 20170114 Re: CVE Request: Wordpress: 8 security issues in 4.7

95399

1037591

https://codex.wordpress.org/Version_4.7.1

https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/

https://wpvulndb.com/vulnerabilities/8717

According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities :

 - A remote code execution vulnerability exists in the PHPMailer component in the class.phpmailer.php script due to improper handling of sender email addresses. An unauthenticated, remote attacker can exploit this to pass extra arguments to the sendmail binary, potentially allowing the attacker to execute arbitrary code. (CVE-2016-10033, CVE-2016-10045)

 - An information disclosure vulnerability exists in the REST API implementation due to a failure to properly restrict listings of post authors. An unauthenticated, remote attacker can exploit this, via a wp-json/wp/v2/users request, to disclose sensitive information. (CVE-2017-5487)

 - Multiple cross-site scripting (XSS) vulnerabilities exist in the update-core.php script due to improper validation of input to the plugin name or version header. An unauthenticated, remote attacker can exploit these, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2017-5488)

 - A cross-site request forgery (XSRF) vulnerability exists due to improper handling of uploaded Flash files. An unauthenticated, remote attacker can exploit this, via a specially crafted Flash file, to hijack the authentication of users. (CVE-2017-5489)

 - A cross-site scripting (XSS) vulnerability exists in the class-wp-theme.php script due to improper validation of input when handling theme name fallback. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2017-5490)

 - A security bypass vulnerability exists in the wp-mail.php script due to improper validation of mail server names. An unauthenticated, remote attacker can exploit this, via a spoofed mail server with the 'mail.example.com' name, to bypass intended security restrictions. (CVE-2017-5491)

 - A cross-site request forgery (XSRF) vulnerability exists in the widget-editing accessibility-mode feature due to a failure to require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions for HTTP requests. An unauthenticated, remote attacker can exploit this, by convincing a user to follow a specially crafted URL, to hijack the authentication of users or cause them to edit widgets. (CVE-2017-5492)

 - A security bypass vulnerability exists in the ms-functions.php script due to the use of weak cryptographic security for multisite activation keys. An unauthenticated, remote attacker can exploit this, via a specially crafted site sign-up or user sign-up, to bypass intended access restrictions. ( CVE-2017-5493)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to hijack victims' credentials, access sensitive information, execute arbitrary commands, bypass read and post restrictions, or mount denial-of-service attacks.

Several vulnerabilities were discovered in wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following issues.

CVE-2017-5488

Multiple cross-site scripting (XSS) vulnerabilities in wp-admin/update-core.php in WordPress before 4.7.1 allow remote attackers to inject arbitrary web script or HTML via the name or version header of a plugin.

CVE-2017-5489

Cross-site request forgery (CSRF) vulnerability in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims via vectors involving a Flash file upload.

CVE-2017-5490

Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php.

CVE-2017-5491

wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name.

CVE-2017-5492

Cross-site request forgery (CSRF) vulnerability in the widget-editing accessibility-mode feature in WordPress before 4.7.1 allows remote attackers to hijack the authentication of unspecified victims for requests that perform a widgets-access action, related to wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.

CVE-2017-5493

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted site signup or user signup.

CVE-2017-5610

wp-admin/includes/class-wp-press-this.php in Press This in WordPress before 4.7.2 does not properly restrict visibility of a taxonomy-assignment user interface, which allows remote attackers to bypass intended access restrictions by reading terms.

CVE-2017-5611

SQL injection vulnerability in wp-includes/class-wp-query.php in WP_Query in WordPress before 4.7.2 allows remote attackers to execute arbitrary SQL commands by leveraging the presence of an affected plugin or theme that mishandles a crafted post type name.

CVE-2017-5612

Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt.

For Debian 7 'Wheezy', these problems have been fixed in version 3.6.1+dfsg-1~deb7u13.

We recommend that you upgrade your wordpress packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the WordPress application running on the remote web server is prior to 4.7.1.
It is, therefore, affected by multiple vulnerabilities :

  - A remote code execution vulnerability exists in the     PHPMailer component in the class.phpmailer.php script     due to improper handling of sender email addresses. An     unauthenticated, remote attacker can exploit this to     pass extra arguments to the sendmail binary, potentially     allowing the attacker to execute arbitrary code.
    (CVE-2016-10033, CVE-2016-10045)

  - An information disclosure vulnerability exists in the     REST API implementation due to a failure to properly     restrict listings of post authors. An unauthenticated,     remote attacker can exploit this, via a     wp-json/wp/v2/users request, to disclose sensitive     information. (CVE-2017-5487)

  - Multiple cross-site scripting (XSS) vulnerabilities     exist in the update-core.php script due to improper     validation of input to the plugin name or version     header. An unauthenticated, remote attacker can exploit     these, via a specially crafted request, to execute     arbitrary script code in a user's browser session.
    (CVE-2017-5488)

  - A cross-site request forgery (XSRF) vulnerability exists     due to improper handling of uploaded Flash files. An     unauthenticated, remote attacker can exploit this, via a     specially crafted Flash file, to hijack the     authentication of users. (CVE-2017-5489)

  - A cross-site scripting (XSS) vulnerability exists in the     class-wp-theme.php script due to improper validation of     input when handling theme name fallback. An     unauthenticated, remote attacker can exploit this, via a     specially crafted request, to execute arbitrary script     code in a user's browser session. (CVE-2017-5490)

  - A security bypass vulnerability exists in the     wp-mail.php script due to improper validation of mail     server names. An unauthenticated, remote attacker can     exploit this, via a spoofed mail server with the     'mail.example.com' name, to bypass intended security     restrictions. (CVE-2017-5491)

  - A cross-site request forgery (XSRF) vulnerability exists     in the widget-editing accessibility-mode feature due to     a failure to require multiple steps, explicit     confirmation, or a unique token when performing certain     sensitive actions for HTTP requests. An unauthenticated,     remote attacker can exploit this, by convincing a user     to follow a specially crafted URL, to hijack the     authentication of users or cause them to edit widgets.
    (CVE-2017-5492)

  - A security bypass vulnerability exists in the     ms-functions.php script due to the use of weak     cryptographic security for multisite activation keys. An     unauthenticated, remote attacker can exploit this, via a     specially crafted site sign-up or user sign-up, to     bypass intended access restrictions. (CVE-2017-5493)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Versions of WordPress prior to 4.7.1 are affected by multiple vulnerabilities :

 - A flaw exists in the 'wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php' script that is triggered when making a request to the 'wp-json/wp/v2/users' API endpoint, that may expose user data for users who have authored public posts. This may allow a remote attacker to disclose potentially sensitive user data. (CVE-2017-5487)
 - A flaw exists that allows a cross-site scripting (XSS) attack. This flaw exists because the 'wp-admin/update-core.php' script does not validate input to the plugin name or version header before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2017-5488)
 - A flaw exists that is triggered during the handling of a specially crafted uploaded flash file. This may allow a context-dependent attacker to bypass CSRF protection mechanisms and potentially conduct a CSRF attack. (CVE-2017-5489)
 - A flaw exists that allows a XSS attack. This flaw exists because the 'wp-includes/class-wp-theme.php' script does not validate input when handling theme name fallback before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2017-5490)
 - A flaw exists in the 'wp-mail.php' script that is triggered when post via email checks mail.example.com in the default settings. This may allow an attacker to spoof the mail server and bypass restrictions. (CVE-2017-5491)
 - A flaw exists related to the accessibility mode of widget editing as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF/XSRF) attack causing the victim to edit widgets. (CVE-2017-5492)
 - A flaw exists in the 'wp-includes/ms-functions.php' script that is due to the use of weak cryptographic security for multisite activation keys. No further details have been provided by the vendor. (CVE-2017-5493)

Aaron D. Campbell reports :

WordPress versions 4.7 and earlier are affected by eight security issues...

ID	Name	Product	Family	Severity
98260	WordPress 3.7.x < 3.7.17 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
98259	WordPress 3.8.x < 3.8.17 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
98258	WordPress 3.9.x < 3.9.15 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
98257	WordPress 4.0.x < 4.0.14 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
98256	WordPress 4.1.x < 4.1.14 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
98255	WordPress 4.2.x < 4.2.11 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
98254	WordPress 4.3.x < 4.3.7 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
98253	WordPress 4.4.x < 4.4.6 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
98252	WordPress 4.5.x < 4.5.5 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
98251	WordPress 4.6.x < 4.6.2 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
98250	WordPress 4.7.x < 4.7.1 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
96932	Debian DSA-3779-1 : wordpress - security update	Nessus	Debian Local Security Checks	high
96930	Debian DLA-813-1 : wordpress security update	Nessus	Debian Local Security Checks	high
96606	WordPress < 4.7.1 Multiple Vulnerabilities	Nessus	CGI abuses	high
9894	WordPress < 4.7.1 Multiple Vulnerabilities	Nessus Network Monitor	CGI	medium
96513	FreeBSD : wordpress -- multiple vulnerabilities (b180d1fb-dac6-11e6-ae1b-002590263bf5)	Nessus	FreeBSD Local Security Checks	medium

CVE-2017-5489

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins