CVE-2016-6896
published 2017-01-18CVE-2016-6896: Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated…
PriorityP353high7.1CVSS 3.0
AVNACLPRLUINSUCLINAH
EXPLOIT
EPSS
38.45%
98.4th percentile
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | < wordpress 4.6.1+dfsg-1 (bookworm) | wordpress 4.6.1+dfsg-1 (bookworm) |
| wordpress | wordpress | <= 4.5.5 | — |
| wordpress | wordpress | — | — |
| wordpress | wordpress | >= 0 < 4.6.1+dfsg-1 | 4.6.1+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.6.1+dfsg-1 | 4.6.1+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.6.1+dfsg-1 | 4.6.1+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.6.1+dfsg-1 | 4.6.1+dfsg-1 |
CVSS provenance
nvdv3.07.1HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:P
osv7.1HIGH
vendor_debian7.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2016-6897: wordpress - Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin fun...
vendor_debian·2016·CVSS 7.1
CVE-2016-6897 [HIGH] CVE-2016-6897: wordpress - Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin fun...
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.
Scope: local
bookworm: resolved (fixed in 4.6.1+dfsg-1)
bullseye: resolved (fixed in 4.6.1+dfsg-1)
forky: resolved (fixed in 4.6.1+dfsg-1)
sid: resolved (fixed in 4.6.1+dfsg-1)
trixie: resolved (fixed in 4.6.1+dfsg-1)
Debian
CVE-2016-10148: wordpress - The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in Word...
vendor_debian·2016·CVSS 4.3
CVE-2016-10148 [MEDIUM] CVE-2016-10148: wordpress - The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in Word...
The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896.
Scope: local
bookworm: resolved (fixed in 4.6.1+dfsg-1)
bullseye: resolved (fixed in 4.6.1+dfsg-1)
forky: resolved (fixed in 4.6.1+dfsg-1)
sid: resolved (fixed in 4.6.1+dfsg-1)
trixie: resolved (fixed in 4.6.1+dfsg-1)
Debian
CVE-2016-6896: wordpress - Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-ad...
vendor_debian·2016·CVSS 7.1
CVE-2016-6896 [HIGH] CVE-2016-6896: wordpress - Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-ad...
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.
Scope: local
bookworm: resolved (fixed in 4.6.1+dfsg-1)
bullseye: resolved (fixed in 4.6.1+dfsg-1)
forky: resolved (fixed in 4.6.1+dfsg-1)
sid: resolved (fixed in 4.6.1+dfsg-1)
trixie: resolved (fixed in 4.6.1+dfsg-1)
GHSA
GHSA-rxch-vxwr-47jw: Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions
ghsa_unreviewed·2022-05-17·CVSS 7.1
CVE-2016-6897 [HIGH] CWE-352 GHSA-rxch-vxwr-47jw: Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.
GHSA
GHSA-3wwg-h2fr-3v7w: The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions
ghsa_unreviewed·2022-05-17·CVSS 7.1
CVE-2016-10148 [HIGH] GHSA-3wwg-h2fr-3v7w: The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions
The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896.
GHSA
GHSA-7r4r-qf37-vqqq: Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions
ghsa_unreviewed·2022-05-17
CVE-2016-6896 [HIGH] CWE-22 GHSA-7r4r-qf37-vqqq: Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.
OSV
CVE-2016-10148: The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions
osv·2017-01-18·CVSS 4.3
CVE-2016-10148 [MEDIUM] CVE-2016-10148: The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions
The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authenticated users to bypass intended read-access restrictions via the plugin parameter to wp-admin/admin-ajax.php, a related issue to CVE-2016-6896.
OSV
CVE-2016-6896: Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions
osv·2017-01-18·CVSS 7.1
CVE-2016-6896 [HIGH] CVE-2016-6896: Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions
Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress 4.5.3 allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.
OSV
CVE-2016-6897: Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions
osv·2017-01-18·CVSS 7.1
CVE-2016-6897 [HIGH] CVE-2016-6897: Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.
No detection rules found.
Exploit-DB
WordPress Core 4.5.3 - Directory Traversal / Denial of Service
exploitdb·2016-08-22·CVSS 7.1
CVE-2016-6897 [HIGH] WordPress Core 4.5.3 - Directory Traversal / Denial of Service
WordPress Core 4.5.3 - Directory Traversal / Denial of Service
---
Path traversal vulnerability in WordPress Core Ajax handlers
Abstract
A path traversal vulnerability was found in the Core Ajax handlers of the WordPress Admin API. This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected WordPress site.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securi
Metasploit
WordPress Traversal Directory DoS
metasploit·CVSS 7.1
CVE-2016-6896 [HIGH] WordPress Traversal Directory DoS
WordPress Traversal Directory DoS
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.
Bugzilla
Path Traversal Vulnerability in Mozilla WP-Engine Wordpress 4.5.3
bugzilla·2016-09-08
[MEDIUM] Path Traversal Vulnerability in Mozilla WP-Engine Wordpress 4.5.3
Path Traversal Vulnerability in Mozilla WP-Engine Wordpress 4.5.3
Path Traversal Vulnerability in Mozilla blog
affected URL : https://blog.mozilla.org
CMS : wordpress
Version 4.5.3
A path traversal vulnerability was found in the Core Ajax handlers of the WordPress 4.5.3 Admin API. and https://blog.mozilla.org is using the same version so its affected with the vulnerability, This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected website.
The path traversal vulnerability exists in the file ajax-actions.php, in particular in the function wp_ajax_update_plugin()
As can be seen in the attached screenshot, the function first tries to retrieve some version information from the target plugin. After this is done, it chec
Bugzilla
CVE-2016-6896 CVE-2016-6897 wordpress: Multiple vulnerabilities fixed in wordpress 4.6
bugzilla·2016-08-22·CVSS 7.1
CVE-2016-6896 [HIGH] CVE-2016-6896 CVE-2016-6897 wordpress: Multiple vulnerabilities fixed in wordpress 4.6
CVE-2016-6896 CVE-2016-6897 wordpress: Multiple vulnerabilities fixed in wordpress 4.6
A path traversal vulnerability was found in the Core Ajax handlers of
the WordPress Admin API. This issue can (potentially) be used by an
authenticated user (Subscriber) to create a denial of service condition
of an affected WordPress site.
It is also possible to trigger this issue via Cross-Site Request Forgery
as the nonce check is done too late in this case.
References:
http://seclists.org/oss-sec/2016/q3/341
External References:
https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html
Discussion:
Created wordpress tracking bugs for this issue:
Affects: fedora-all [bug 1369120]
Affects: epel-all [bug 1369121]
---
wordpress-4.6-2.fc25 has been pushe
Bugzilla
CVE-2016-6896 CVE-2016-6897 wordpress: Multiple vulnerabilities fixed in wordpress 4.6 [fedora-all]
bugzilla·2016-08-22·CVSS 7.1
CVE-2016-6896 [HIGH] CVE-2016-6896 CVE-2016-6897 wordpress: Multiple vulnerabilities fixed in wordpress 4.6 [fedora-all]
CVE-2016-6896 CVE-2016-6897 wordpress: Multiple vulnerabilities fixed in wordpress 4.6 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2016-6896 CVE-2016-6897 wordpress: Multiple vulnerabilities fixed in wordpress 4.6 [epel-all]
bugzilla·2016-08-22·CVSS 7.1
CVE-2016-6896 [HIGH] CVE-2016-6896 CVE-2016-6897 wordpress: Multiple vulnerabilities fixed in wordpress 4.6 [epel-all]
CVE-2016-6896 CVE-2016-6897 wordpress: Multiple vulnerabilities fixed in wordpress 4.6 [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multip
http://www.openwall.com/lists/oss-security/2016/08/20/1http://www.securitytracker.com/id/1036683https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.htmlhttps://wpvulndb.com/vulnerabilities/8606https://www.exploit-db.com/exploits/40288/http://www.openwall.com/lists/oss-security/2016/08/20/1http://www.securitytracker.com/id/1036683https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.htmlhttps://wpvulndb.com/vulnerabilities/8606https://www.exploit-db.com/exploits/40288/
2017-01-18
Published