FreeBSD : wordpress -- multiple vulnerabilities (14ea4458-e5cd-11e6-b56d-38d547003487)

High Nessus Plugin ID 96850


The remote FreeBSD host is missing one or more security-related updates.


Aaron D. Campbell reports :

WordPress versions 4.7.1 and earlier are affected by three security issues :

- The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it.

- WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we've added hardening to prevent plugins and themes from accidentally causing a vulnerability.

- A cross-site scripting (XSS) vulnerability was discovered in the posts list table.

- An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint.


Update the affected packages.

See Also

Plugin Details

Severity: High

ID: 96850

File Name: freebsd_pkg_14ea4458e5cd11e6b56d38d547003487.nasl

Version: $Revision: 3.4 $

Type: local

Published: 2017/01/30

Modified: 2017/02/13

Dependencies: 12634

Risk Information

Risk Factor: High


Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P


Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:de-wordpress, p-cpe:/a:freebsd:freebsd:ja-wordpress, p-cpe:/a:freebsd:freebsd:ru-wordpress, p-cpe:/a:freebsd:freebsd:wordpress, p-cpe:/a:freebsd:freebsd:zh-wordpress-zh_CN, p-cpe:/a:freebsd:freebsd:zh-wordpress-zh_TW, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2017/01/29

Vulnerability Publication Date: 2017/01/26

Reference Information

CVE: CVE-2017-5610, CVE-2017-5611, CVE-2017-5612