WordPress 5.4.x < 5.4.6 Object injection
critical Web Application Scanning Plugin ID 112790
Language:
Synopsis
WordPress 5.4.x < 5.4.6 Object injectionDescription
According to its self-reported version number, the detected WordPress application is affected by an object injection vulnerability in PHPMailer.Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update to WordPress version 5.4.6 or latest.See Also
https://wordpress.org/news/2021/05/wordpress-5-7-2-security-release/
https://wordpress.org/support/wordpress-version/version-5-4-6/
Plugin Details
Severity: Critical
ID: 112790
Type: remote
Family: Component Vulnerability
Published: 5/17/2021
Updated: 10/7/2021
Scan Template: pci, api, scan
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2020-36326
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2020-36326
Vulnerability Information
CPE: cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
Exploit Ease: No known exploits are available
Patch Publication Date: 5/13/2021
Vulnerability Publication Date: 5/13/2021
Reference Information
CVE: CVE-2018-19296, CVE-2020-36326
OWASP: 2013-A9, 2017-A9, 2010-A4, 2013-A4, 2010-A1, 2013-A1, 2017-A1, 2017-A8, 2021-A6, 2021-A8
WASC: Improper Input Handling
OWASP API: 2019-API7, 2019-API8
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(e)
DISA STIG: APSC-DV-002630, APSC-DV-002560
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.5.1, 4.0.2-5.1.2
ISO: 27001-A.14.2.5, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.13.1.3, 27001-A.13.2.1
CAPEC: 586