This vulnerability has been customized since it was last examined by the NVD. It is awaiting reanalysis which might result in further modifications to the details offered.
WordPress prior to 5.1.1 does not properly filter comment content, causing Remote Code Execution by unauthenticated users in a default setup. This happens because CSRF security is mishandled, and due to the fact that Seo of An elements is carried out improperly, resulting in XSS. The XSS results in administrative access, which enables arbitrary changes to.php files. This is associated to wp-admin/includes/ajax-actions. php and wp-includes/comment. php.
Description Last Modified:
View Analysis Description
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This takes place due to the fact that CSRF protection is mishandled, and due to the fact that Seo of An aspects is performed improperly, leading to XSS. The XSS results in administrative access, which permits arbitrary modifications to.php files. This relates to wp-admin/includes/ajax-actions. php and wp-includes/comment. php.
Description Last Modified:
CVSS v3.0 Severity and Metrics:
AV: N/AC: L/PR: N/UI: R/S: U/C: H/I: H/A: H.
( V3 legend).
Attack Vector (AV):.
Attack Complexity (AC):.
Benefits Needed (PR):.
User Interaction (UI):.
CVSS v2.0 Intensity and Metrics:
( AV: N/AC: M/Au: N/C:P/ I:P/ A:P).
( V2 legend).
Gain Access To Vector (AV):.
Access Intricacy (Air Conditioner):.
Victim must voluntarily connect with attack mechanism
Enables unapproved disclosure of info
Enables unapproved adjustment
Permits disruption of service
3 modification records found.
– reveal changes
CVE Customized by MITRE -.
3/21/201912: 01: 17 PM
|Action||Type||Old Worth||New Value|
https://wpvulndb.com/vulnerabilities/9230[No Types Assigned]
Initial Analysis -.
3/15/201910: 48: 21 AM
|Action||Type||Old Value||New Worth|
OR. * cpe:2.3: a: wordpress: wordpress: *: *: *: *: *: *: *: * variations approximately (omitting) 5.1.1
( AV: N/AC: M/Au: N/C:P/ I:P/ A:P)
|Included||CVSS V2 Metadata|
Victim should voluntarily communicate with attack mechanism
AV: N/AC: L/PR: N/UI: R/S: U/C: H/I: H/A: H
http://www.securityfocus.com/bid/107411 No Types Assigned
http://www.securityfocus.com/bid/107411 3rd Party Advisory, VDB Entry
https://blog.ripstech.com/2019/ wordpress-csrf-to-rce/ No Types Assigned
https://blog.ripstech.com/2019/ wordpress-csrf-to-rce/ Make use of, Third Celebration Advisory
https://github.com/WordPress/WordPress/commit/0292 de60 ec78 c5a44956765189403654 fe4d080 b No Types Assigned
https://github.com/WordPress/WordPress/commit/0292 de60 ec78 c5a44956765189403654 fe4d080 b Spot, Third Party Advisory
https://wordpress.org/news/2019/03/ wordpress-5-1-1-security-and-maintenance-release/ No Types Assigned
https://wordpress.org/news/2019/03/ wordpress-5-1-1-security-and-maintenance-release/ Release Notes, Supplier Advisory
https://wordpress.org/support/wordpress-version/version-5-1-1/ No Types Assigned
https://wordpress.org/support/wordpress-version/version-5-1-1/ Release Notes, Vendor Advisory
CVE Modified by MITRE -.
3/15/2019 6: 29: 19 AM
|Action||Type||Old Value||New Value|
http://www.securityfocus.com/bid/107411[No Types Assigned]