Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

WordPress < 3.7.9 / 3.8.x < 3.8.9 / 3.9.x < 3.9.7 / 4.1.x < 4.1.6 / 4.2.x < 4.2.3 Multiple Vulnerabilities

Medium

Synopsis

The remote server is hosting an outdated installation of WordPress that is vulnerable to multiple attack vectors.

Description

Versions of WordPress 3.7.x prior to 3.7.9 , 3.8.x prior to 3.8.9 , 3.9.x prior to 3.9.7 , 4.1.x prior to 4.1.6 , and 4.2.x prior to 4.2.3 are susceptible to the following vulnerabilities :

- A cross-site scripting (XSS) vulnerability exists due to a flaw in the Shortcode API in which shortcodes embedded in HTML tags are not properly handled before returning the input to the users. A remote, authenticated attacker can exploit this by using a crafted request to execute arbitrary code in the user's browser session. (OSVDB 125143) - An unspecified vulnerability exists due to a flaw in Quick Draft, which can allow an unauthorized, remote user to create arbitrary drafts. (OSVDB 125144)

Solution

Upgrade to WordPress 4.2.3, or later. If 4.2.x cannot be obtained, 3.7.9, 3.8.9, 3.9.7, and 4.1.6 are also patched for these vulnerabilities.