Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

WordPress < 3.7.6 / 3.8.x < 3.8.6 / 3.9.x < 3.9.4 / 4.1.x < 4.1.2 Multiple Vulnerabilities

High

Synopsis

The remote server is hosting an outdated installation of WordPress that is vulnerable to multiple attack vectors.

Description

Versions of WordPress 3.7.x prior to 3.7.6 , 3.8.x prior to 3.8.6 , 3.9.x prior to 3.9.4 , and 4.1.x prior to 4.1.2 are susceptible to the following vulnerabilities :

- An unspecified flaw exists that allows an attacker to upload arbitrary files with invalid or unsafe names. Note that this only affects versions 4.1 and higher. (OSVDB 121085) - A cross-site scripting vulnerability exists due to improper validation of user-supplied input. A remote attacker, using a specially crafted request, can exploit this to execute arbitrary script code in a user's browser session. (OSVDB 121086) - A limited cross-site scripting vulnerability exists due to improper validation of user-supplied input. A remote attacker, using a specially crafted request, can exploit this to execute arbitrary script code in a user's browser session. Note that this only affects versions 3.9 and higher. (OSVDB 121087) - An unspecified SQL injection vulnerability exists in some plugins.

Solution

Upgrade to WordPress 4.1.2, or later. If 4.1.x cannot be obtained, 3.7.6, 3.8.6, and 3.9.4 are also patched for these vulnerabilities.