|CERT-In Vulnerability Note
Multiple Vulnerabilities in WordPress
Original Issue Date:August 02, 2018
Severity Rating: HIGH
- WordPress versions 4.9.4 and Prior
Multiple vulnerabilities have been reported in WordPress which could be exploited by a remote attacker to conduct an open redirect and cross-site scripting (XSS) attacks on a targeted system.
1. Open Redirect Vulnerability
Multiple vulnerabilities exist in WordPress, Due to wp_http_validate_url() and wp_safe_redirect() function which improperly validate URLs in the affected software. A remote attacker could exploit these vulnerabilities by enticing a user to follow a link that submits malicious input to the targeted system.
Successful exploitation of this vulnerability could allow the remote attacker to redirect the users browser to a malicious website and conduct further attacks on the targeted system.
2. Cross-site scripting vulnerability
A vulnerability exists in WordPress, Due to get_the_generator() function which improperly validate user-supplied input in the affected software.
A remote attacker could exploit this vulnerability by enticing a user to follow a malicious link on the targeted system
Successful exploitation of this vulnerability could allow the remote attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.
Apply appropriate fixes as issued by vendor in the following link
The information provided herein is on "as is" basis, without warranty of any kind.
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003