CVE-2015-3438 — Cross-site Scripting in Wordpress

CWE-79 — Cross-site Scripting5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

1.6%

top 18.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress Debian Linux

Timeline

PublishedAug 5

Latest updateMay 17

Description

Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a (1) four-byte UTF-8 character or (2) invalid character that reaches the database layer, as demonstrated by a crafted character in a comment.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 4.2+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 4.2+dfsg-1+3

▶NVDwordpress/wordpress4.1.1

Also affects: Debian Linux 7.0, 8.0

Patches

Patch: codex.wordpress.org ↗Patch: wordpress.org ↗Patch: codex.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-cv8p-7fxf-fmqr: Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4↗2022-05-17

▶

OSV

CVE-2015-3438: Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4↗2015-08-05

▶

📋Vendor Advisories

Debian

CVE-2015-3438: wordpress - Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, w...↗2015

▶

💬Community

Bugzilla

CVE-2015-3438 CVE-2015-3439 wordpress: several vulnerabilities fixed in Wordpress 4.1.2↗2015-04-23

▶