Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

ubuntu логотип

CVE-2019-9787

Опубликовано: 14 мар. 2019
Источник: ubuntu
Приоритет: medium
EPSS Высокий
CVSS2: 6.8
CVSS3: 8.8

Описание

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

РелизСтатусПримечание
bionic

ignored

end of standard support, was needs-triage
cosmic

ignored

end of life
devel

not-affected

5.1.1+dfsg1-1
disco

not-affected

5.1.1+dfsg1-1
eoan

not-affected

5.1.1+dfsg1-1
esm-apps/bionic

needs-triage

esm-apps/focal

not-affected

5.1.1+dfsg1-1
esm-apps/jammy

not-affected

5.1.1+dfsg1-1
esm-apps/noble

not-affected

5.1.1+dfsg1-1
esm-apps/xenial

needs-triage

Показывать по

Ссылки на источники

EPSS

Процентиль: 99%
0.86996
Высокий

6.8 Medium

CVSS2

8.8 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2019-9787

CVSS3: 8.8
nvd
больше 6 лет назад

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

debian логотип

CVE-2019-9787

CVSS3: 8.8
debian
больше 6 лет назад

WordPress before 5.1.1 does not properly filter comment content, leadi ...

github логотип

GHSA-vqp9-3cmr-vgcc

CVSS3: 8.8
github
около 3 лет назад

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

fstec логотип

BDU:2020-03934

CVSS3: 8.8
fstec
больше 6 лет назад

Уязвимость функции wp_ajax_replyto_comment (ajax-actions.php) и wp_handle_comment_submission (comment.php) системы управления содержимым сайта WordPress, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

EPSS

Процентиль: 99%
0.86996
Высокий

6.8 Medium

CVSS2

8.8 High

CVSS3