MS-ISAC CYBERSECURITY ADVISORIES
MS-ISAC ADVISORY NUMBER:
Multiple Vulnerabilities in WordPress Content Management System Could Allow for Unauthenticated Privilege Escalation
There are currently no reports of these vulnerabilities being exploited in the wild.
- WordPress versions 4.7.1 and earlier
- Large and medium government entities:High
- Small government entities:Medium
- Large and medium business entities:High
- Small business entities:Medium
Home users: Low
WordPress issued a security and maintenance release which fixes multiple vulnerabilities in versions 4.7.1 and earlier. This security and maintenance release addresses the following vulnerabilities:
- An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint.
- The user interface for assigning taxonomy terms in "Press This" is shown to users who do not have permissions to use it.
- "WP_Query" is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but additional hardening was added to prevent plugins and themes from accidentally causing a vulnerability.
- A cross-site scripting (XSS) vulnerability was discovered in the posts list table.
Successful exploitation of these vulnerabilities could allow for unauthorized privilege escalation allowing an attacker to compromise the affected website, or allow access to or modify data on the website.
We recommend the following actions be taken:
- Ensure no unauthorized systems changes have occurred before applying patches.
- Update WordPress CMS to the latest version after appropriate testing.
- Run all software as a non-privileged user to diminish effects of a successful attack.
- Review and follow WordPress hardening guidelines - http://codex.wordpress.org/Hardening_WordPress.