EPSS
Percentile
72.8%
In wp-admin/user-new.php the newbloguser key is set to a string that can be get from the user ID, which allows an attacker to bypass intended access restrictions by entering this string.
Update WordPress to 4.9.1
wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
www.cvedetails.com/cve/CVE-2017-17091/