CVE-2019-9787 — Cross-Site Request Forgery in Wordpress

CWE-352 — Cross-Site Request Forgery7 documents7 sources

Severity

8.8HIGHNVD

EPSS

81.0%

top 0.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wordpress Debian Wordpress

Timeline

PublishedMar 14

Latest updateMay 14

Description

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/wordpress< wordpress 5.1.1+dfsg1-1 (bookworm)

▶NVDwordpress/wordpress< 5.1.1

▶Debianwordpress/wordpress< 5.1.1+dfsg1-1+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-vqp9-3cmr-vgcc: WordPress before 5↗2022-05-14

▶

OSV

CVE-2019-9787: WordPress before 5↗2019-03-14

▶

📋Vendor Advisories

Debian

CVE-2019-9787: wordpress - WordPress before 5.1.1 does not properly filter comment content, leading to Remo...↗2019

▶

Red Hat

struts: Denial of service when using a Spring AOP functionality↗2017-08-11

▶

💬Community

HackerOne

Version problem in wordpress leads to the many vulnearability↗2020-01-10

▶

Bugzilla

CVE-2017-9787 struts: Denial of service when using a Spring AOP functionality↗2017-08-11

▶