WordPress < 3.7.4 / 3.8.4 / 3.9.2 Multiple Vulnerabilities

high Nessus Plugin ID 77157

Synopsis

The remote web server contains a PHP application that is affected by multiple vulnerabilities.

Description

According to its version number, the WordPress application hosted on the remote web server is affected by multiple vulnerabilities :

- An XML injection flaw exists within 'getid3.lib.php' due to the parser accepting XML external entities from untrusted sources. Using specially crafted XML data, a remote attacker could access sensitive information or cause a denial of service. This affects versions 3.6 - 3.9.1, except 3.7.4 and 3.8.4.

- An XML injection flaw exists within 'xmlrpc.php' due to the parser accepting XML internal entities without properly validating them. Using specially crafted XML data, a remote attacker could cause a denial of service.
This affects versions 1.5 - 3.9.1, except 3.7.4 and 3.8.4.

- An unsafe serialization flaw exists in the script '/src/wp-includes/class-wp-customize-widgets.php' when processing widgets. This could allow a remote attacker to execute arbitrary code. Versions 3.9 and 3.9.1 non-default configurations are affected.

- A flaw exists when building CSRF tokens due to it not separating pieces by delimiter and not comparing nonces in a time-constant manner. This could allow a remote attacker to conduct a brute force attack and potentially disclose the CSRF token. This affects versions 2.0.3 - 3.9.1, except 3.7.4 and 3.8.4.

- A cross-site scripting flaw exists in the function 'get_avatar' within the '/src/wp-includes/pluggable.php' script where input from the avatars is not validated before returning it to the user. Using a specially crafted request, an authenticated attacker could execute arbitrary script code within the browser / server trust relationship. This affects version 3.9.1.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to WordPress 3.7.4 / 3.8.4 / 3.9.2 or later.

See Also

https://wordpress.org/news/2014/08/wordpress-3-9-2/

https://codex.wordpress.org/Version_3.9.2

https://seclists.org/oss-sec/2014/q3/301

https://core.trac.wordpress.org/changeset/29405/branches/3.9

https://core.trac.wordpress.org/changeset/29389

https://core.trac.wordpress.org/changeset/29390

https://core.trac.wordpress.org/changeset/29384

https://core.trac.wordpress.org/changeset/29408

https://core.trac.wordpress.org/changeset/29398

Plugin Details

Severity: High

ID: 77157

File Name: wordpress_3_9_2.nasl

Version: 1.15

Type: remote

Family: CGI abuses

Published: 8/12/2014

Updated: 1/19/2021

Configuration: Enable paranoid mode

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:wordpress:wordpress

Required KB Items: www/PHP, installed_sw/WordPress, Settings/ParanoidReport

Exploit Ease: No exploit is required

Patch Publication Date: 8/6/2014

Vulnerability Publication Date: 3/7/2014

Reference Information

CVE: CVE-2014-2053, CVE-2014-5203, CVE-2014-5204, CVE-2014-5205, CVE-2014-5240, CVE-2014-5265, CVE-2014-5266

BID: 69096

CWE: 20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990