Vulnerabilities > CVE-2015-5623 - Improper Access Control vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
WordPress before 4.2.3 does not properly verify the edit_posts capability, which allows remote authenticated users to bypass intended access restrictions and create drafts by leveraging the Subscriber role, as demonstrated by a post-quickdraft-save action to wp-admin/post.php.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Embedding Scripts within Scripts An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
- Signature Spoofing by Key Theft An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2015-12148.NASL description **WordPress 4.2.4 Security and Maintenance Release** WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandi of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset. Our thanks to those who have practiced responsible disclosure of security issues. WordPress 4.2.4 also fixes four bugs. For more information, see: the release notes or consult the list of changes. - the release notes: https://codex.wordpress.org/Version_4.2.4 - the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=3 3573&stop_rev=33396 **WordPress 4.2.3 Security and Maintenance Release** WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnonen. We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies. Our thanks to those who have practiced responsible disclosure of security issues. WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see : - the release notes: https://codex.wordpress.org/Version_4.2.3 - the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=3 3382&stop_rev=32430 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-08-14 plugin id 85389 published 2015-08-14 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85389 title Fedora 21 : wordpress-4.2.4-1.fc21 (2015-12148) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3328.NASL description Several vulnerabilities have been found in Wordpress, the popular blogging engine. - CVE-2015-3429 The file example.html in the Genericicons icon font package and twentyfifteen Wordpress theme allowed for cross site scripting. - CVE-2015-5622 The robustness of the shortcodes HTML tags filter has been improved. The parsing is a bit more strict, which may affect your installation. - CVE-2015-5623 A cross site scripting vulnerability allowed users with the Contributor or Author role to elevate their privileges. The oldstable distribution (wheezy) is only affected by CVE-2015-5622. This less critical issue will be fixed at a later time. last seen 2020-06-01 modified 2020-06-02 plugin id 85352 published 2015-08-13 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85352 title Debian DSA-3328-1 : wordpress - security update NASL family CGI abuses NASL id WORDPRESS_4_2_3.NASL description According to its version number, the WordPress application running on the remote web server is either version 3.7.x prior to 3.7.9, 3.8.x prior to 3.8.9, 3.9.x prior to 3.9.7, 4.1.x prior to 4.1.6, or 4.2.x prior to 4.2.3. It is, therefore, potentially affected by the following vulnerabilities : - A cross-site scripting (XSS) vulnerability exists due to a flaw in the Shortcode API in which shortcodes embedded in HTML tags are not properly handled before returning the input to the users. A remote, authenticated attacker can exploit this by using a crafted request to execute arbitrary code in the user last seen 2020-06-01 modified 2020-06-02 plugin id 85082 published 2015-07-29 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85082 title WordPress < 3.7.9 / 3.8.9 / 3.9.7 / 4.1.6 / 4.2.3 Multiple Vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2015-12235.NASL description **WordPress 4.2.4 Security and Maintenance Release** WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandi of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset. Our thanks to those who have practiced responsible disclosure of security issues. WordPress 4.2.4 also fixes four bugs. For more information, see: the release notes or consult the list of changes. - the release notes: https://codex.wordpress.org/Version_4.2.4 - the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=3 3573&stop_rev=33396 **WordPress 4.2.3 Security and Maintenance Release** WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnonen. We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies. Our thanks to those who have practiced responsible disclosure of security issues. WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see : - the release notes: https://codex.wordpress.org/Version_4.2.3 - the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=3 3382&stop_rev=32430 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-08-14 plugin id 85390 published 2015-08-14 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85390 title Fedora 22 : wordpress-4.2.4-1.fc22 (2015-12235) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_C80B27A2316511E58A1D14DAE9D210B8.NASL description Gary Pendergast reports : WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team. last seen 2020-06-01 modified 2020-06-02 plugin id 84973 published 2015-07-24 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84973 title FreeBSD : wordpress -- XSS vulnerability (c80b27a2-3165-11e5-8a1d-14dae9d210b8)
References
- http://codex.wordpress.org/Version_4.2.3
- http://openwall.com/lists/oss-security/2015/07/23/18
- http://www.debian.org/security/2015/dsa-3328
- http://www.securityfocus.com/bid/76011
- http://www.securitytracker.com/id/1033037
- https://core.trac.wordpress.org/changeset/33357
- https://wordpress.org/news/2015/07/wordpress-4-2-3/
- https://wpvulndb.com/vulnerabilities/8111