CVE-2017-5493 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2017-5493?

CVE-2017-5493 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-5493?

Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress.

Vulnerability Description

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Wordpress	Wordpress	<= 4.7

Related Weaknesses (CWE)

CWE-338

References

http://www.debian.org/security/2017/dsa-3779
http://www.openwall.com/lists/oss-security/2017/01/14/6Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/95401
http://www.securitytracker.com/id/1037591
https://codex.wordpress.org/Version_4.7.1Release NotesVendor Advisory
https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa4Patch
https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-releVendor Advisory
https://wpvulndb.com/vulnerabilities/8721
http://www.debian.org/security/2017/dsa-3779
http://www.openwall.com/lists/oss-security/2017/01/14/6Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/95401
http://www.securitytracker.com/id/1037591
https://codex.wordpress.org/Version_4.7.1Release NotesVendor Advisory
https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa4Patch
https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-releVendor Advisory

FAQ

What is CVE-2017-5493?

CVE-2017-5493 is a vulnerability with a CVSS score of 7.5 (HIGH). wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended ac...

How severe is CVE-2017-5493?

CVE-2017-5493 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-5493?

Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress.