WordPress < 3.6.1 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 9094

Synopsis

The remote server is hosting an outdated installation of WordPress that is vulnerable to multiple attack vectors.

Description

Versions of WordPress prior to 3.6.1 are susceptible to the following vulnerabilities :

- A flaw exists in the 'get_allowed_mime_types function' in 'wp-includes/functions.php'. The issue is due to the program failing to properly restrict file uploads for SWF and EXE files. With a specially crafted file, a remote authenticated attacker can more easily conduct a cross-site scripting (XSS) attack. (CVE-2013-5739)
- A flaw exists in the 'wp-includes/functions.php' script that is due to the program failing to determine whether data has been serialized. With a saturation of PHP unserialize operations, a remote attacker can potentially execute arbitrary code. (CVE-2013-4338)
- A flaw exists that is triggered when handling a specially crafted string, which can result in URLs not being properly validated before an HTTP redirect. This may allow a remote attacker to bypass redirect restrictions. (CVE-2013-4339)
- A flaw exists in the 'wp-admin/includes/post.php' script that is triggered when handling a specially crafted 'user_ID' parameter. This may allow a remote attacker to spoof the authorship of arbitrary posts. (CVE-2013-4340)
- A flaw exists in the 'get_allowed_mime_types' function in 'wp-includes/functions.php' that is due to HTML file uploads not requiring the unfiltered_html capability. With a specially crafted file, a remote attacker can more easily conduct a cross-site scripting (XSS) attack. (CVE-2013-5738)
- A flaw exists that allows a remote cross site redirection attack. This flaw exists because the application does not validate input passed via '_wp_http_referer' or '_wp_original_http_referer' upon submission to the 'edit-tags.php' and 'media.php' scripts. This could allow a user to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choosing. Such attacks are useful as the crafted URL initially appear to be a web page of a trusted site. This could be leveraged to direct an unsuspecting user to a web page containing attacks that target client side software such as a web browser or document rendering programs.
- A flaw exists that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the application does not validate the '_wp_http_referer' parameter upon submission to the '/wp-admin/edit-tags.php' script. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Solution

Upgrade to WordPress 3.6.1, or later.

See Also

http://codex.wordpress.org/Version_3.6.1

http://wordpress.org/news/2013/09/wordpress-3-6-1

Plugin Details

Severity: Critical

ID: 9094

Family: CGI

Published: 2016/02/26

Modified: 2018/09/16

Dependencies: 9035, 9036

Nessus ID: 69997

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:wordpress:wordpress

Patch Publication Date: 2013/09/11

Vulnerability Publication Date: 2013/09/11

Reference Information

CVE: CVE-2013-4338, CVE-2013-4339, CVE-2013-4340, CVE-2013-5738, CVE-2013-5739

BID: 62344, 62345, 62346, 62421, 62424, 64453, 64456