QwikSec

Security Database

CVE

CWE

Training

CVE-2019-9787

Published: Mar 14, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://blog.ripstech.com/2019/wordpress-csrf-to-rce/

x_refsource_MISC

https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/

x_refsource_MISC

https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b

x_refsource_MISC

https://wpvulndb.com/vulnerabilities/9230

x_refsource_MISC

vdb-entry

x_refsource_BID

https://wordpress.org/support/wordpress-version/version-5-1-1/

x_refsource_MISC

[debian-lts-announce] 20190331 [SECURITY] [DLA 1742-1] wordpress security update

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_DEBIAN

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.