In WordPress before 4.9.9 and 5.x before 5.0.1, crafted URLs could trigger XSS for certain use cases involving plugins.

Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting (XSS) and PHP injections attacks, delete files, leak potentially sensitive data, create posts of unauthorized types, or cause denial-of-service by application crash.

CVE-2018-20147

Authors could modify metadata to bypass intended restrictions on deleting files.

CVE-2018-20148 Contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.

CVE-2018-20149

When the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.

CVE-2018-20150

Crafted URLs could trigger XSS for certain use cases involving plugins.

CVE-2018-20151

The user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.

CVE-2018-20152

Authors could bypass intended restrictions on post types via crafted input.

CVE-2018-20153

Contributors could modify new comments made by users with greater privileges, possibly causing XSS.

For Debian 8 'Jessie', these problems have been fixed in version 4.1.25+dfsg-1+deb8u1.

We recommend that you upgrade your wordpress packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities :

 - Authors could alter meta data to delete files that they weren’t authorized to.

 - Authors could create posts of unauthorized types with specially crafted input.

 - Contributors could craft meta data in a way that resulted in PHP object injection.

 - Contributors could edit new comments from higher-privileged users, potentially leading to a cross-site scripting.

 - User activation screen could be indexed by search engines leading to exposure of sensitive information.

 - Authors on Apache-hosted sites could upload specifically crafted files that bypass MIME verification, leading to a cross-site scripting.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the WordPress application running on the remote web server is prior to 4.9.9, or 5.x prior to 5.0.1. It is, therefore, affected by multiple vulnerabilities, including cross-site scripting (XSS) vulnerabilities due to improper validation of user-supplied input before returning it to users.

ID	Name	Product	Family	Severity
122551	Debian DSA-4401-1 : wordpress - security update	Nessus	Debian Local Security Checks	critical
122100	Debian DLA-1673-1 : wordpress security update	Nessus	Debian Local Security Checks	critical
98383	WordPress 3.7.x < 3.7.28 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98382	WordPress 3.8.x < 3.8.28 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98381	WordPress 3.9.x < 3.9.26 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98380	WordPress 4.0.x < 4.0.25 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98379	WordPress 4.1.x < 4.1.25 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98378	WordPress 4.2.x < 4.2.22 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98377	WordPress 4.3.x < 4.3.18 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98376	WordPress 4.4.x < 4.4.17 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98375	WordPress 4.5.x < 4.5.16 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98374	WordPress 4.6.x < 4.6.13 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98373	WordPress 4.7.x < 4.7.12 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98372	WordPress 4.8.x < 4.8.8 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98371	WordPress 4.9.x < 4.9.9 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
98370	WordPress 5.0.x < 5.0.1 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
119615	WordPress < 4.9.9 / 5.x < 5.0.1 Multiple Vulnerabilities	Nessus	CGI abuses	critical

Detections

Analytics

CVE-2018-20150

medium

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical