QwikSec

Security Database

CVE

CWE

Training

CVE-2017-6814

Published: Mar 12, 2017

Modified: Aug 5, 2024

PUBLISHED

Description

In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7

x_refsource_MISC

vdb-entry

x_refsource_SECTRACK

vendor-advisory

x_refsource_DEBIAN

https://wpvulndb.com/vulnerabilities/8765

x_refsource_MISC

vdb-entry

x_refsource_BID

https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html

x_refsource_MISC

https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/

x_refsource_MISC

http://openwall.com/lists/oss-security/2017/03/06/8

x_refsource_MISC

https://codex.wordpress.org/Version_4.7.3

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.