Vulnerabilities > CVE-2017-6816 - Incorrect Authorization vulnerability in Wordpress

047910
CVSS 5.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
wordpress
debian
CWE-863
nessus

Summary

In WordPress before 4.7.3 (wp-admin/plugins.php), unintended files can be deleted by administrators using the plugin deletion functionality.

Vulnerable Configurations

Part Description Count
Application
Wordpress
599
OS
Debian
2

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-860.NASL
    descriptionSeveral vulnerabilities were discovered in wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following issues. CVE-2017-6814 Cross-Site Scripting (XSS) vulnerability via media file metadata CVE-2017-6815 Control characters can trick redirect URL validation in wp-includes/pluggable.php CVE-2017-6816 Unintended files can be deleted by administrators using the plugin deletion functionality For Debian 7
    last seen2020-03-17
    modified2017-03-20
    plugin id97797
    published2017-03-20
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97797
    titleDebian DLA-860-1 : wordpress security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-860-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97797);
      script_version("3.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2017-6814", "CVE-2017-6815", "CVE-2017-6816");
    
      script_name(english:"Debian DLA-860-1 : wordpress security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities were discovered in wordpress, a web blogging
    tool. The Common Vulnerabilities and Exposures project identifies the
    following issues.
    
    CVE-2017-6814
    
    Cross-Site Scripting (XSS) vulnerability via media file metadata
    
    CVE-2017-6815
    
    Control characters can trick redirect URL validation in
    wp-includes/pluggable.php
    
    CVE-2017-6816
    
    Unintended files can be deleted by administrators using the plugin
    deletion functionality
    
    For Debian 7 'Wheezy', these problems have been fixed in version
    3.6.1+dfsg-1~deb7u14.
    
    We recommend that you upgrade your wordpress packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2017/03/msg00017.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/wordpress"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the affected wordpress, and wordpress-l10n packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wordpress-l10n");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/20");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"wordpress", reference:"3.6.1+dfsg-1~deb7u14")) flag++;
    if (deb_check(release:"7.0", prefix:"wordpress-l10n", reference:"3.6.1+dfsg-1~deb7u14")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3815.NASL
    descriptionSeveral vulnerabilities were discovered in wordpress, a web blogging tool. They would allow remote attackers to delete unintended files, mount Cross-Site Scripting attacks, or bypass redirect URL validation mechanisms.
    last seen2020-06-01
    modified2020-06-02
    plugin id97922
    published2017-03-24
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97922
    titleDebian DSA-3815-1 : wordpress - security update
  • NASL familyCGI abuses
    NASL idWORDPRESS_4_7_3.NASL
    descriptionAccording to its self-reported version number, the WordPress application running on the remote web server is prior to 4.7.3. It is, therefore, affected by multiple vulnerabilities : - A cross-site scripting (XSS) vulnerability exists in the wp_playlist_shortcode() function within the /wp-includes/media.php script due to a failure to validate input passed via audio file metadata before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user
    last seen2020-06-01
    modified2020-06-02
    plugin id97635
    published2017-03-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97635
    titleWordPress < 4.7.3 Multiple Vulnerabilities