WordPress < 3.6.1 Multiple Vulnerabilities
Critical Nessus Network Monitor Plugin ID 9094
SynopsisThe remote server is hosting an outdated installation of WordPress that is vulnerable to multiple attack vectors.
DescriptionVersions of WordPress prior to 3.6.1 are susceptible to the following vulnerabilities :
- A flaw exists in the 'get_allowed_mime_types function' in 'wp-includes/functions.php'. The issue is due to the program failing to properly restrict file uploads for SWF and EXE files. With a specially crafted file, a remote authenticated attacker can more easily conduct a cross-site scripting (XSS) attack. (CVE-2013-5739)
- A flaw exists in the 'wp-includes/functions.php' script that is due to the program failing to determine whether data has been serialized. With a saturation of PHP unserialize operations, a remote attacker can potentially execute arbitrary code. (CVE-2013-4338)
- A flaw exists that is triggered when handling a specially crafted string, which can result in URLs not being properly validated before an HTTP redirect. This may allow a remote attacker to bypass redirect restrictions. (CVE-2013-4339)
- A flaw exists in the 'wp-admin/includes/post.php' script that is triggered when handling a specially crafted 'user_ID' parameter. This may allow a remote attacker to spoof the authorship of arbitrary posts. (CVE-2013-4340)
- A flaw exists in the 'get_allowed_mime_types' function in 'wp-includes/functions.php' that is due to HTML file uploads not requiring the unfiltered_html capability. With a specially crafted file, a remote attacker can more easily conduct a cross-site scripting (XSS) attack. (CVE-2013-5738)
- A flaw exists that allows a remote cross site redirection attack. This flaw exists because the application does not validate input passed via '_wp_http_referer' or '_wp_original_http_referer' upon submission to the 'edit-tags.php' and 'media.php' scripts. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.
- A flaw exists that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate the '_wp_http_referer' parameter upon submission to the '/wp-admin/edit-tags.php' script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
SolutionUpgrade to WordPress 3.6.1, or later.