Vulnerability Description
The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denial of service (crash) via a comment with a crafted URL that triggers many recursive calls.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wordpress | Wordpress | <= 3.1 |
Related Weaknesses (CWE)
References
- http://core.trac.wordpress.org/ticket/16892
- http://secunia.com/advisories/44038Vendor Advisory
- http://secunia.com/advisories/49138Vendor Advisory
- http://wordpress.org/news/2011/04/wordpress-3-1-1/
- http://www.debian.org/security/2012/dsa-2470
- http://www.openwall.com/lists/oss-security/2012/04/19/17
- http://www.openwall.com/lists/oss-security/2012/04/19/6
- http://core.trac.wordpress.org/ticket/16892
- http://secunia.com/advisories/44038Vendor Advisory
- http://secunia.com/advisories/49138Vendor Advisory
- http://wordpress.org/news/2011/04/wordpress-3-1-1/
- http://www.debian.org/security/2012/dsa-2470
- http://www.openwall.com/lists/oss-security/2012/04/19/17
- http://www.openwall.com/lists/oss-security/2012/04/19/6
FAQ
What is CVE-2011-4957?
CVE-2011-4957 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The make_clickable function in wp-includes/formatting.php in WordPress before 3.1.1 does not properly check URLs before passing them to the PCRE library, which allows remote attackers to cause a denia...
How severe is CVE-2011-4957?
CVE-2011-4957 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-4957?
Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress.