漏洞类别:CGI
漏洞等级: 
漏洞信息
WordPress is an open source blogging tool and content management system based on PHP and MySQL. It has many features including a plug-in architecture and a template system.
WordPress versions prior to 4.7.5 contain the following unauthorized HTTP redirection, cross-site request forgery and cross-site scripting vulnerabilities:
Insufficient redirect validation in the HTTP class.
Improper handling of post meta data values in the XML-RPC API.
Lack of capability checks for post meta data in the XML-RPC API.
A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog.
A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files.
A cross-site scripting (XSS) vulnerability was discovered related to the Customizer.
Affected Versions:
WordPress prior to 4.7.5
QID Detection Logic:
This QID depends on BlindElephant engine to detect the version of the WordPress installation as active attacks could potentially harm live installations.
漏洞危害
Depending on the vulnerability being exploited, a remote attacker could conduct CSRF, XSS attacks, gain access to sensitive meta data information or redirect users to malicious resources.
解决方案
Customers are advised to install WordPress 4.7.5 or later versions to remediate the vulnerabilities.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论