CVE-2017-6819 — Cross-Site Request Forgery in Wordpress

CWE-352 — Cross-Site Request Forgery CWE-601 — Open Redirect5 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

13.4%

top 5.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Github.com Bitly Oauth2 Proxy Debian Wordpress

Timeline

PublishedMar 12

Latest updateMay 14

Description

In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press This (wp-admin/includes/class-wp-press-this.php), leading to excessive use of server resources. The CSRF can trigger an outbound HTTP request for a large file that is then parsed by Press This.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/wordpress< wordpress 4.7.3+dfsg-1 (bookworm)

▶Debianwordpress/wordpress< 4.7.3+dfsg-1+3

▶NVDwordpress/wordpress4.7.2

▶Gogithub.com/bitly_oauth2_proxy< 2.2.0

Patches

Patch: codex.wordpress.org ↗Patch: github.com ↗Patch: wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-34f4-j2gj-cg3x: In WordPress before 4↗2022-05-14

▶

GHSA

Open Redirect in oauth2_proxy↗2021-12-20

▶

OSV

CVE-2017-6819: In WordPress before 4↗2017-03-12

▶

📋Vendor Advisories

Debian

CVE-2017-6819: wordpress - In WordPress before 4.7.3, there is cross-site request forgery (CSRF) in Press T...↗2017

▶