Vulnerabilities > CVE-2017-6816 - Incorrect Authorization vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
HIGH Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-860.NASL description Several vulnerabilities were discovered in wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following issues. CVE-2017-6814 Cross-Site Scripting (XSS) vulnerability via media file metadata CVE-2017-6815 Control characters can trick redirect URL validation in wp-includes/pluggable.php CVE-2017-6816 Unintended files can be deleted by administrators using the plugin deletion functionality For Debian 7 last seen 2020-03-17 modified 2017-03-20 plugin id 97797 published 2017-03-20 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97797 title Debian DLA-860-1 : wordpress security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-860-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(97797); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2017-6814", "CVE-2017-6815", "CVE-2017-6816"); script_name(english:"Debian DLA-860-1 : wordpress security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities were discovered in wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following issues. CVE-2017-6814 Cross-Site Scripting (XSS) vulnerability via media file metadata CVE-2017-6815 Control characters can trick redirect URL validation in wp-includes/pluggable.php CVE-2017-6816 Unintended files can be deleted by administrators using the plugin deletion functionality For Debian 7 'Wheezy', these problems have been fixed in version 3.6.1+dfsg-1~deb7u14. We recommend that you upgrade your wordpress packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2017/03/msg00017.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/wordpress" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected wordpress, and wordpress-l10n packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress-l10n"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/12"); script_set_attribute(attribute:"patch_publication_date", value:"2017/03/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/20"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"wordpress", reference:"3.6.1+dfsg-1~deb7u14")) flag++; if (deb_check(release:"7.0", prefix:"wordpress-l10n", reference:"3.6.1+dfsg-1~deb7u14")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3815.NASL description Several vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to delete unintended files, mount Cross-Site Scripting attacks, or bypass redirect URL validation mechanisms. last seen 2020-06-01 modified 2020-06-02 plugin id 97922 published 2017-03-24 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97922 title Debian DSA-3815-1 : wordpress - security update NASL family CGI abuses NASL id WORDPRESS_4_7_3.NASL description According to its self-reported version number, the WordPress application running on the remote web server is prior to 4.7.3. It is, therefore, affected by multiple vulnerabilities : - A cross-site scripting (XSS) vulnerability exists in the wp_playlist_shortcode() function within the /wp-includes/media.php script due to a failure to validate input passed via audio file metadata before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user last seen 2020-06-01 modified 2020-06-02 plugin id 97635 published 2017-03-09 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97635 title WordPress < 4.7.3 Multiple Vulnerabilities
References
- https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
- https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663
- https://codex.wordpress.org/Version_4.7.3
- http://www.securityfocus.com/bid/96598
- https://wpvulndb.com/vulnerabilities/8767
- http://www.securitytracker.com/id/1037959
- http://www.debian.org/security/2017/dsa-3815