Vigil@nce - WordPress: six vulnerabilities
May 2017 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of WordPress.
Impacted products: Debian, WordPress Core.
Severity: 2/4.
Creation date: 07/03/2017.
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in WordPress.
An attacker can trigger a Cross Site Scripting via Media File
Metadata, in order to run JavaScript code in the context of the
web site. [severity:2/4; CVE-2017-6814]
An attacker can deceive the user via Control Characters, in order
to redirect him to a malicious site. [severity:1/4; CVE-2017-6815]
An attacker can trigger a fatal error via Plugin Deletion, in
order to trigger a denial of service. [severity:2/4; CVE-2017-6816]
An attacker can trigger a Cross Site Scripting via YouTube Embeds,
in order to run JavaScript code in the context of the web site.
[severity:2/4; CVE-2017-6817]
An attacker can trigger a Cross Site Scripting via Taxonomy Term,
in order to run JavaScript code in the context of the web site.
[severity:2/4; CVE-2017-6818]
An attacker can trigger a Cross Site Request Forgery via Press
This, in order to force the victim to perform operations.
[severity:2/4; CVE-2017-6819]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/WordPress-six-vulnerabilities-22025