Description

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

Remediation

References

CVE-2017-5493

Related Vulnerabilities

Joomla! Core Information Disclosure (2.5.0 - 3.9.22)

WordPress Plugin Responsive WordPress Slider Cross-Site Scripting (2.2.0)

WordPress Plugin Ginger-EU Cookie Law Multiple Vulnerabilities (4.1.3)

WordPress Plugin Gallery PhotoBlocks Cross-Site Scripting (1.1.40)

Ruby Numeric Errors Vulnerability (CVE-2009-1904)

Severity

High

Classification

CVE-2017-5493 CWE-338 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities