WordPress versions 4.7.1 and earlier are vulnerable by three security issues

by CIRT Team

Description:

1. The user interface for assigning taxonomy terms in Press is shown to users who do not have permissions to use it.
2. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue.
3. A cross-site scripting (XSS) vulnerability was discovered in the posts list table.
4. An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint

Impact: Intruder can take control of the web system by exploiting above mention vulnerabilities.

Mitigation: Vendor has released new version (WordPress 4.7.2.).

Reference URL’s:

• https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/
• https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/

CIRT Team

Recommended Posts

Active Exploitation of Critical F5 BIG – IP Vulnerability (CVE–2023-46747) Uncovered in Bangladesh

06 Nov 2024 - Security Advisories & Alerts

Emerging Threat_Stealer Malware (Lumma C2) Campaign with fake CAPTCHA pages

08 Oct 2024 - Security Advisories & Alerts

Detection of Fog Ransomware Footprint in Cyber Space of Bangladesh

12 Sep 2024 - Security Advisories & Alerts