Description

WordPress is prone to multiple vulnerabilities, including remote code execution, security bypass and open redirect vulnerabilities. Exploiting these issues could allow an attacker to execute arbitrary code with the privileges of the user running the application, to compromise the application or the underlying database, to access or modify data, to compromise a vulnerable system, to perform otherwise restricted actions and subsequently create posts "written by" another user or to redirect users to arbitrary web sites and conduct phishing attacks. WordPress versions prior to 3.6.1 are vulnerable.

Remediation

Update to WordPress version 3.6.1 or latest

References

https://vagosec.org/2013/09/wordpress-php-object-injection/

https://vagosec.org/2013/12/wordpress-rce-exploit/

http://seclists.org/fulldisclosure/2013/Dec/174

https://wordpress.org/news/2013/09/wordpress-3-6-1/

Related Vulnerabilities

Plone arbitrary code execution

WordPress Plugin PictPress 'resize.php' Multiple Local File Include Vulnerabilities (1.0)

WordPress 4.4.x Multiple Vulnerabilities (4.4 - 4.4.16)

WordPress Plugin WP Customer Reviews Cross-Site Scripting (3.5.5)

WordPress Plugin Jetpack-WP Security, Backup, Speed, & Growth Cross-Site Scripting (3.9.1)

Severity

High

Classification

CVE-2013-4338 CVE-2013-4339 CVE-2013-4340 CVE-2013-5738 CVE-2013-5739 CWE-20 CWE-94 CWE-264 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Tags

Missing Update