The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of WP

computer vulnerability bulletin CVE-2018-6389

WordPress Core: denial of service via load-scripts.php

Synthesis of the vulnerability

An attacker can generate an overload via load-scripts.php of WordPress Core, in order to trigger a denial of service.
Impacted products: WordPress Core.
Severity: 1/4.
Consequences: denial of service on server, denial of service on service.
Provenance: internet client.
Creation date: 06/02/2018.
Identifiers: CVE-2018-6389, VIGILANCE-VUL-25228.

Description of the vulnerability

An attacker can generate an overload via load-scripts.php of WordPress Core, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 25099

WordPress: Cross Site Scripting via MediaElement Flash Fallback

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via MediaElement Flash Fallback of WordPress, in order to run JavaScript code in the context of the web site.
Impacted products: WordPress Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 17/01/2018.
Identifiers: CERTFR-2018-AVI-034, VIGILANCE-VUL-25099.

Description of the vulnerability

The WordPress product offers a web service.

However, it does not filter received data via MediaElement Flash Fallback before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting via MediaElement Flash Fallback of WordPress, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-17091 CVE-2017-17092 CVE-2017-17093

WordPress Core: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WordPress Core.
Impacted products: Debian, Fedora, WordPress Core.
Severity: 3/4.
Consequences: user access/rights, data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 30/11/2017.
Identifiers: CERTFR-2017-AVI-438, CVE-2017-17091, CVE-2017-17092, CVE-2017-17093, CVE-2017-17094, DLA-1216-1, DSA-4090-1, FEDORA-2017-15ce66d344, FEDORA-2017-994ff5ced8, VIGILANCE-VUL-24595.

Description of the vulnerability

An attacker can use several vulnerabilities of WordPress Core.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2017-16510

WordPress Core: SQL injection via wpdb-prepare

Synthesis of the vulnerability

An attacker can use a SQL injection via wpdb-prepare of WordPress Core, in order to read or alter data.
Impacted products: Debian, Fedora, WordPress Core.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 31/10/2017.
Identifiers: CERTFR-2017-AVI-388, CVE-2017-16510, DLA-1160-1, DSA-4090-1, FEDORA-2017-6fd6877975, FEDORA-2017-9d0ff8d851, VIGILANCE-VUL-24278.

Description of the vulnerability

An attacker can use a SQL injection via wpdb-prepare of WordPress Core, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2016-9263

WordPress Core: Cross Site Scripting via flashmediaelement.swf

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting via flashmediaelement.swf of WordPress Core, in order to run JavaScript code in the context of the web site.
Impacted products: Debian, WordPress Core.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 13/10/2017.
Identifiers: CVE-2016-9263, DLA-1151-1, DLA-1151-2, VIGILANCE-VUL-24131.

Description of the vulnerability

An attacker can trigger a Cross Site Scripting via flashmediaelement.swf of WordPress Core, in order to run JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2017-14990

WordPress Core: privilege escalation via wp_signups.activation_key

Synthesis of the vulnerability

An attacker can bypass restrictions via wp_signups.activation_key of WordPress, in order to escalate his privileges.
Impacted products: Debian, WordPress Core.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: user account.
Creation date: 03/10/2017.
Identifiers: 38474, CVE-2017-14990, DLA-1151-1, DLA-1151-2, DSA-3997-1, VIGILANCE-VUL-24012.

Description of the vulnerability

An attacker can bypass restrictions via wp_signups.activation_key of WordPress, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2017-14718 CVE-2017-14719 CVE-2017-14720

WordPress Core: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WordPress Core.
Impacted products: Debian, WordPress Core.
Severity: 2/4.
Consequences: user access/rights, client access/rights, data reading, data creation/edition, data deletion.
Provenance: document.
Number of vulnerabilities in this bulletin: 9.
Creation date: 20/09/2017.
Identifiers: CERTFR-2017-AVI-312, CVE-2017-14718, CVE-2017-14719, CVE-2017-14720, CVE-2017-14721, CVE-2017-14722, CVE-2017-14723, CVE-2017-14724, CVE-2017-14725, CVE-2017-14726, DLA-1151-1, DLA-1151-2, DSA-3997-1, VIGILANCE-VUL-23884.

Description of the vulnerability

An attacker can use several vulnerabilities of WordPress Core.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2017-9061 CVE-2017-9062 CVE-2017-9063

WordPress Core: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WordPress.
Impacted products: Debian, Fedora, WordPress Core.
Severity: 2/4.
Consequences: user access/rights, client access/rights, data reading, data creation/edition.
Provenance: document.
Number of vulnerabilities in this bulletin: 6.
Creation date: 17/05/2017.
Identifiers: CERTFR-2017-AVI-157, CVE-2017-9061, CVE-2017-9062, CVE-2017-9063, CVE-2017-9064, CVE-2017-9065, CVE-2017-9066, DLA-1075-1, DLA-975-1, DSA-3870-1, DSA-4090-1, FEDORA-2017-46fcfd8c98, FEDORA-2017-d968f5a95f, FEDORA-2017-fe7c3c9c30, VIGILANCE-VUL-22750.

Description of the vulnerability

Several vulnerabilities were announced in WordPress.

An attacker can deceive the user via HTTP Class, in order to redirect him to a malicious site. [severity:1/4; CVE-2017-9066]

An attacker can bypass security features via XML-RPC API, in order to obtain sensitive information. [severity:2/4; CVE-2017-9065]

An attacker can bypass security features via XML-RPC API, in order to escalate his privileges. [severity:2/4; CVE-2017-9062]

An attacker can trigger a Cross Site Request Forgery via Filesystem Credentials Dialog, in order to force the victim to perform operations (VIGILANCE-VUL-22527). [severity:2/4; CVE-2017-9064]

An attacker can trigger a Cross Site Scripting via Large Files Upload, in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2017-9061]

An attacker can trigger a Cross Site Scripting via Customizer, in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2017-9063]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-8295

WordPress Core: privilege escalation via Password Reset

Synthesis of the vulnerability

An attacker can bypass restrictions via Password Reset of WordPress Core, in order to escalate his privileges.
Impacted products: Debian, WordPress Core.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: internet client.
Creation date: 04/05/2017.
Identifiers: CVE-2017-8295, DLA-1075-1, DLA-975-1, DSA-3870-1, VIGILANCE-VUL-22646.

Description of the vulnerability

An attacker can bypass restrictions via Password Reset of WordPress Core, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 22527

WordPress Connection Information: Cross Site Request Forgery

Synthesis of the vulnerability

An attacker can trigger a Cross Site Request Forgery of WordPress Connection Information, in order to force the victim to perform operations.
Impacted products: Fedora, WordPress Core, WordPress Plugins ~ not comprehensive.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 21/04/2017.
Identifiers: FEDORA-2017-46fcfd8c98, FEDORA-2017-d968f5a95f, FEDORA-2017-fe7c3c9c30, VIGILANCE-VUL-22527.

Description of the vulnerability

The Connection Information plugin can be installed on WordPress.

However, the origin of queries is not checked. They can for example originate from an image included in an HTML document.

An attacker can therefore trigger a Cross Site Request Forgery of WordPress Connection Information, in order to force the victim to perform operations.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about WP: