FreeBSD : wordpress -- multiple vulnerabilities (14ea4458-e5cd-11e6-b56d-38d547003487)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Aaron D. Campbell reports :

WordPress versions 4.7.1 and earlier are affected by three security
issues :

- The user interface for assigning taxonomy terms in Press This is
shown to users who do not have permissions to use it.

- WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe
data. WordPress core is not directly vulnerable to this issue, but
we've added hardening to prevent plugins and themes from
accidentally causing a vulnerability.

- A cross-site scripting (XSS) vulnerability was discovered in the
posts list table.

- An unauthenticated privilege escalation vulnerability was discovered
in a REST API endpoint.

See also :

http://www.openwall.com/lists/oss-security/2017/01/28/5
https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
http://www.nessus.org/u?aeb834e4
http://www.nessus.org/u?38486821

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 96850 ()

Bugtraq ID:

CVE ID: CVE-2017-5610
CVE-2017-5611
CVE-2017-5612

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now