SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   WordPress Vendors:   wordpress.org
WordPress Multiple Flaws Let Remote Users Deny Service, Execute Arbitrary Code, Conduct Cross-Site Scripting and Cross-Site Request Forgery Attacks, and Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1030684
SecurityTracker URL:  http://securitytracker.com/id/1030684
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 7 2014
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 3.9.2
Description:   Several vulnerabilities were reported in WordPress. A remote user may be able to execute arbitrary code on the target system. A remote user can cause denial of service conditions. A remote administrative user can conduct cross-site scripting and cross-site request forgery attacks. A remote user can obtain potentially sensitive information.

A remote user may be able to cause arbitrary code to be executed when the target system processes widgets (not the default configuration). Alex Concha of the WordPress security team reported this vulnerability.

A remote user may be able to trigger a flaw in XML processing to cause denial of service conditions. Nir Goldshlager of the Salesforce.com Product Security Team reported this vulnerability.

A remote administrative user can conduct cross-site scripting attacks.

A remote user can conduct XML entity attacks against the external GetID3 library to obtain potentially sensitive information. Ivan Novikov of ONSec reported this vulnerability.

A remote user may be able to conduct cross-site request forgery attacks to take actions on the target system acting as the target user. David Tomaschik of the Google Security Team reported this vulnerability.

Impact:   A remote user can potentially execute arbitrary code on the target system.

A remote user can cause denial of service conditions.

A remote administrative user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WordPress software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user may be able to take actions on the target system acting as the target user.

A remote user can obtain potentially sensitive information.

Solution:   The vendor has issued a fix (3.9.2).

The vendor's advisory is available at:

http://wordpress.org/news/2014/08/wordpress-3-9-2/

Vendor URL:  wordpress.org/news/2014/08/wordpress-3-9-2/ (Links to External Site)
Cause:   Access control error, Input validation error, Not specified
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC