CVE-2017-6814Cross-site Scripting in Wordpress

CWE-79Cross-site Scripting5 documents5 sources
Severity
5.4MEDIUMNVD
EPSS
2.4%
top 14.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
WordpressDebian WordpressDebian Linux
Timeline
PublishedMar 12
Latest updateMay 14

Description

In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

debiandebian/wordpress< wordpress 4.7.3+dfsg-1 (bookworm)
Debianwordpress/wordpress< 4.7.3+dfsg-1+3

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: codex.wordpress.orgPatch: github.comPatch: wordpress.org

🔴Vulnerability Details

2
GHSA
GHSA-4h7x-7f94-8hcj: In WordPress before 42022-05-14
OSV
CVE-2017-6814: In WordPress before 42017-03-12

📋Vendor Advisories

1
Debian
CVE-2017-6814: wordpress - In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via...2017

💬Community

1
Bugzilla
CVE-2019-9075 binutils: heap-based buffer overflow in function _bfd_archive_64_bit_slurp_armap in archive64.c2019-02-25
CVE-2017-6814 — Cross-site Scripting in Wordpress | cvebase