CVE-2019-9787
published 2019-03-14CVE-2019-9787: WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This…
PriorityP263high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
43.75%
98.6th percentile
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | < wordpress 5.1.1+dfsg1-1 (bookworm) | wordpress 5.1.1+dfsg1-1 (bookworm) |
| wordpress | wordpress | < 5.1.1 | 5.1.1 |
| wordpress | wordpress | >= 0 < 5.1.1+dfsg1-1 | 5.1.1+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.1.1+dfsg1-1 | 5.1.1+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.1.1+dfsg1-1 | 5.1.1+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.1.1+dfsg1-1 | 5.1.1+dfsg1-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated comment submissions containing anchor (<a>) tags with crafted href/SEO attributes that may carry XSS payloads — the vulnerability stems from improper filtering of comment content and incorrect SEO handling of A elements. ↗
- →Detect CSRF token bypass attempts against WordPress comment submission endpoints; the exploit chain relies on mishandled CSRF protection to deliver the XSS payload. ↗
- →Alert on unexpected modifications to .php files via the WordPress admin interface (ajax-actions.php), which is the final stage of the RCE chain after XSS grants administrative access. ↗
- →Flag exploitation attempts originating from unauthenticated users (no valid WordPress session cookie) that result in admin-level actions — the full RCE chain is exploitable without authentication in a default WordPress configuration. ↗
- ·The vulnerability is exploitable in a default WordPress configuration — no non-default settings are required, making all unpatched installs at risk. ↗
- ·Patched in WordPress 5.1.1; Debian packages fixed in 5.1.1+dfsg1-1 across all tracked suites (bookworm, bullseye, sid, trixie, forky). ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vqp9-3cmr-vgcc: WordPress before 5
ghsa_unreviewed·2022-05-14
CVE-2019-9787 [HIGH] CWE-352 GHSA-vqp9-3cmr-vgcc: WordPress before 5
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.
OSV
CVE-2019-9787: WordPress before 5
osv·2019-03-14·CVSS 8.8
CVE-2019-9787 [HIGH] CVE-2019-9787: WordPress before 5
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.
Debian
CVE-2019-9787: wordpress - WordPress before 5.1.1 does not properly filter comment content, leading to Remo...
vendor_debian·2019·CVSS 8.8
CVE-2019-9787 [HIGH] CVE-2019-9787: wordpress - WordPress before 5.1.1 does not properly filter comment content, leading to Remo...
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.
Scope: local
bookworm: resolved (fixed in 5.1.1+dfsg1-1)
bullseye: resolved (fixed in 5.1.1+dfsg1-1)
forky: resolved (fixed in 5.1.1+dfsg1-1)
sid: resolved (fixed in 5.1.1+dfsg1-1)
trixie: resolved (fixed in 5.1.1+dfsg1-1)
Red Hat
struts: Denial of service when using a Spring AOP functionality
vendor_redhat·2017-08-11·CVSS 7.5
CVE-2017-9787 [HIGH] struts: Denial of service when using a Spring AOP functionality
struts: Denial of service when using a Spring AOP functionality
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.
Statement: A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache Struts 2 is not included in any Red Hat products. This earlier statement was incorrect. While Struts 2 is not actively compiled, shipped, used, or enabled in any Red Hat provided final products, and does not cause any vulnerability in the product, struts2-core jars have been included in some products' source code packages. The inclusion was part of an import of the Google Guice repository, which includes struts2-core. Customers that build artefacts from our
No detection rules found.
No public exploits indexed.
HackerOne
Version problem in wordpress leads to the many vulnearability
hackerone·2020-01-10·CVSS 6.1
[MEDIUM] Version problem in wordpress leads to the many vulnearability
Version problem in wordpress leads to the many vulnearability
##Title: WordPress 3.9-5.1 - Comment Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/9230
Reference: https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b
Reference: https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/
Reference: https://blog.ripstech.com/2019/wordpress-csrf-to-rce/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9787
## Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
Reference: https://wpvulndb.com/vulnerabilities/9867
Reference: https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
Reference: https://github.com/WordPress/WordPress/commit/30a
Bugzilla
CVE-2017-9787 struts: Denial of service when using a Spring AOP functionality
bugzilla·2017-08-11·CVSS 7.5
CVE-2017-9787 [HIGH] CVE-2017-9787 struts: Denial of service when using a Spring AOP functionality
CVE-2017-9787 struts: Denial of service when using a Spring AOP functionality
A flaw was found in Apache Struts 2.3.7 through 2.3.32 and 2.5 through 2.5.10.1. When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack even if user was not properly authenticated but an application mixed secured and not secured actions in one class.
References:
http://struts.apache.org/docs/s2-049.html
https://lists.apache.org/thread.html/3795c4dd46d9ec75f4a6eb9eca11c11edd3e796c6c1fd7b17b5dc50d@%3Cannouncements.struts.apache.org%3E
Discussion:
Created struts tracking bugs for this issue:
Affects: epel-7 [bug 1480611]
Affects: fedora-all [bug 1480610]
---
Statement:
A previous statement by Red Hat related to this CVE, prior to August 2019, said that Apache S
http://www.securityfocus.com/bid/107411https://blog.ripstech.com/2019/wordpress-csrf-to-rce/https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080bhttps://lists.debian.org/debian-lts-announce/2019/03/msg00044.htmlhttps://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/https://wordpress.org/support/wordpress-version/version-5-1-1/https://wpvulndb.com/vulnerabilities/9230https://www.debian.org/security/2020/dsa-4677http://www.securityfocus.com/bid/107411https://blog.ripstech.com/2019/wordpress-csrf-to-rce/https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080bhttps://lists.debian.org/debian-lts-announce/2019/03/msg00044.htmlhttps://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/https://wordpress.org/support/wordpress-version/version-5-1-1/https://wpvulndb.com/vulnerabilities/9230https://www.debian.org/security/2020/dsa-4677
2019-03-14
Published