CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS
Percentile
71.8%
Severity: Medium
Date : 2017-03-16
CVE-ID : CVE-2017-6814 CVE-2017-6815 CVE-2017-6816 CVE-2017-6817
CVE-2017-6818 CVE-2017-6819
Package : wordpress
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-202
The package wordpress before version 4.7.3-1 is vulnerable to multiple
issues including cross-site request forgery, cross-site scripting and
insufficient validation.
Upgrade to 4.7.3-1.
The problems have been fixed upstream in version 4.7.3.
None.
An authenticated cross-site scripting (XSS) vulnerability has been
discovered in WordPress before 4.7.3 via Media File Metadata. This is
demonstrated by both (1) mishandling of the playlist shortcode in the
wp_playlist_shortcode function in wp-includes/media.php and (2)
mishandling of meta information in the renderTracks function in wp-
includes/js/mediaelement/wp-playlist.js.
A vulnerability has been discovered in WordPress before 4.7.3 (wp-
includes/pluggable.php) that certain control characters can trick
redirect URL validation.
It has been discovered that unintended files can be deleted by
administrators in WordPress before 4.7.3 (wp-admin/plugins.php) using
the plugin deletion functionality.
An authenticated cross-site scripting (XSS) vulnerability has been
discovered in in WordPress before 4.7.3 (wp-includes/embed.php) via
YouTube URL Embeds.
A cross-site scripting (XSS) vulnerability has been discovered in
WordPress before 4.7.3 (wp-admin/js/tags-box.js) via taxonomy term
names.
A cross-site request forgery (CSRF) vulnerability exists on the Press
This page of WordPress. This issue can be used to create a Denial of
Service (DoS) condition if an authenticated administrator visits a
malicious URL.
A remote attacker is able to execute arbitrary javascript on the
clients machine or perform a denial of service attack against the
server by tricking an administrator to visit a certain site.
Furthermore a malicious administrator is able to delete unintended
files from the server.
https://codex.wordpress.org/Version_4.7.3
https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663
https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9
https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
https://security.archlinux.org/CVE-2017-6814
https://security.archlinux.org/CVE-2017-6815
https://security.archlinux.org/CVE-2017-6816
https://security.archlinux.org/CVE-2017-6817
https://security.archlinux.org/CVE-2017-6818
https://security.archlinux.org/CVE-2017-6819
codex.wordpress.org/Version_4.7.3
github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829
github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e
github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8
github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663
github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9
security.archlinux.org/AVG-202
security.archlinux.org/CVE-2017-6814
security.archlinux.org/CVE-2017-6815
security.archlinux.org/CVE-2017-6816
security.archlinux.org/CVE-2017-6817
security.archlinux.org/CVE-2017-6818
security.archlinux.org/CVE-2017-6819
sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html
sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
EPSS
Percentile
71.8%