WordPress 4.9.x < 4.9.7 Arbitrary File Deletion Vulnerability

Medium Nessus Plugin ID 111229

Synopsis

A PHP application running on the remote web server is affected by an arbitrary file deletion vulnerability.

Description

According to its self-reported version number, the WordPress application running on the remote web server is prior to 4.9.7. It is, therefore, affected by an arbitrary file deletion vulnerability that can lead to remote code execution.

Solution

Upgrade to WordPress version 4.9.7 or later.

See Also

http://www.nessus.org/u?2a24cd03

http://www.nessus.org/u?5478aed7

http://www.nessus.org/u?44e0dfce

Plugin Details

Severity: Medium

ID: 111229

File Name: wordpress_4_9_7.nasl

Version: 1.1

Type: remote

Family: CGI abuses

Published: 2018/07/24

Modified: 2018/07/24

Dependencies: 18297

Risk Information

Risk Factor: Medium

CVSS Score Source: Tenable

CVSS Score Rationale: Analysis by tenable researcher.

CVSSv2

Base Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:P

CVSSv3

Base Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

Vulnerability Information

CPE: cpe:/a:wordpress:wordpress

Required KB Items: www/PHP, installed_sw/WordPress, Settings/ParanoidReport

Patch Publication Date: 2018/07/05

Vulnerability Publication Date: 2018/07/05