GLSA-200703-23 : WordPress: Multiple vulnerabilities

This script is Copyright (C) 2007-2015 Tenable Network Security, Inc.

Synopsis :

The remote Gentoo host is missing one or more security-related

Description :

The remote host is affected by the vulnerability described in GLSA-200703-23
(WordPress: Multiple vulnerabilities)

WordPress contains cross-site scripting or cross-site scripting forgery
vulnerabilities reported by:
g30rg3_x in the 'year'
parameter of the wp_title() function
Alexander Concha in the
'demo' parameter of wp-admin/admin.php
Samenspender and Stefan
Friedli in the 'post' parameter of wp-admin/post.php and
wp-admin/page.php, in the 'cat_ID' parameter of wp-admin/categories.php
and in the 'c' parameter of wp-admin/comment.php
PsychoGun in
the 'file' parameter of wp-admin/templates.php
Additionally, WordPress prints the full PHP script paths in some error

Impact :

The cross-site scripting vulnerabilities can be triggered to steal
browser session data or cookies. A remote attacker can entice a user to
browse to a specially crafted web page that can trigger the cross-site
request forgery vulnerability and perform arbitrary WordPress actions
with the permissions of the user. Additionally, the path disclosure
vulnerability could help an attacker to perform other attacks.

Workaround :

There is no known workaround at this time for all these

See also :

Solution :

Due to the numerous recently discovered vulnerabilities in WordPress,
this package has been masked in the portage tree. All WordPress users
are advised to unmerge it.
# emerge --unmerge 'www-apps/wordpress'

Risk factor :

Medium / CVSS Base Score : 6.8

Family: Gentoo Local Security Checks

Nessus Plugin ID: 24889 (gentoo_GLSA-200703-23.nasl)

Bugtraq ID:

CVE ID: CVE-2007-1049

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now