Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2015-3440Cross-site Scripting in Wordpress

CWE-79Cross-site Scripting11 documents6 sources
Severity
6.1MEDIUMNVD
NVD4.3OSV4.3
EPSS
14.4%
top 5.56%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
3
WordpressDebian WordpressDebian Linux
Timeline
PublishedAug 3
Latest updateMay 17

Description

Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

debiandebian/wordpress< wordpress 4.2.2+dfsg-1 (bookworm)+1
Debianwordpress/wordpress< 4.2.2+dfsg-1+7
NVDwordpress/wordpress4.2.1+1

Also affects: Debian Linux 7.0, 8.0

Patches

Patch: wordpress.orgPatch: wordpress.org

🔴Vulnerability Details

4
GHSA
GHSA-c2wg-9wh8-qj37: Cross-site scripting (XSS) vulnerability in wp-includes/wp-db2022-05-17
GHSA
GHSA-xg6f-394q-j4f9: Cross-site scripting (XSS) vulnerability in wp-includes/wp-db2022-05-17
OSV
CVE-2015-8834: Cross-site scripting (XSS) vulnerability in wp-includes/wp-db2016-05-22
OSV
CVE-2015-3440: Cross-site scripting (XSS) vulnerability in wp-includes/wp-db2015-08-03

💥Exploits & PoCs

1
Exploit-DB
WordPress Core 4.2 - Persistent Cross-Site Scripting2015-04-27

📋Vendor Advisories

2
Debian
CVE-2015-8834: wordpress - Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress b...2015
Debian
CVE-2015-3440: wordpress - Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress b...2015

💬Community

2
Bugzilla
CVE-2015-8834 wordpress: XSS vulnerability allowing to inject script via long comment2016-05-24
Bugzilla
CVE-2015-3440 wordpress: stored XSS via long comments2015-04-28
CVE-2015-3440 — Cross-site Scripting in Wordpress | cvebase