CVE-2016-7168 — Cross-site Scripting in Wordpress

CWE-79 — Cross-site Scripting8 documents6 sources

Severity

4.8MEDIUMNVD

EPSS

0.8%

top 25.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress

Timeline

PublishedJan 5

Latest updateMay 17

Description

Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 4.6.1+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 4.6.1+dfsg-1+3

▶NVDwordpress/wordpress4.6

Patches

Patch: codex.wordpress.org ↗Patch: github.com ↗Patch: wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-ffr7-33wh-7g9r: Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media↗2022-05-17

▶

OSV

CVE-2016-7168: Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media↗2017-01-05

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Office PowerPoint 2010 - Invalid Pointer Reference↗2016-09-21

▶

📋Vendor Advisories

Debian

CVE-2016-7168: wordpress - Cross-site scripting (XSS) vulnerability in the media_handle_upload function in ...↗2016

▶

💬Community

Bugzilla

CVE-2016-7168 CVE-2016-7169 wordpress: two security issues fixed in 4.6.1↗2016-09-08

▶

Bugzilla

CVE-2016-7168 CVE-2016-7169 wordpress: two security issues fixed in 4.6.1 [epel-all]↗2016-09-08

▶

Bugzilla

CVE-2016-7168 CVE-2016-7169 wordpress: two security issues fixed in 4.6.1 [fedora-all]↗2016-09-08

▶