Description

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

Remediation

References

CVE-2017-5493

Related Vulnerabilities

Handlebars Loop with Unreachable Exit Condition ('Infinite Loop') Vulnerability (CVE-2019-20922)

PHP Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2015-8935)

MySQL CVE-2020-14800 Vulnerability (CVE-2020-14800)

ReviveAdserver 7PK - Security Features Vulnerability (CVE-2016-9470)

WordPress Plugin Anti-Malware Security and Brute-Force Firewall Local File Inclusion (4.18.63)

Severity

High

Classification

CVE-2017-5493 CWE-338 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities