cbcvebase.
CVE-2019-9787
published 2019-03-14

CVE-2019-9787: WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This…

PriorityP263high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
43.75%
98.6th percentile
WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianwordpress< wordpress 5.1.1+dfsg1-1 (bookworm)wordpress 5.1.1+dfsg1-1 (bookworm)
wordpresswordpress< 5.1.15.1.1
wordpresswordpress>= 0 < 5.1.1+dfsg1-15.1.1+dfsg1-1
wordpresswordpress>= 0 < 5.1.1+dfsg1-15.1.1+dfsg1-1
wordpresswordpress>= 0 < 5.1.1+dfsg1-15.1.1+dfsg1-1
wordpresswordpress>= 0 < 5.1.1+dfsg1-15.1.1+dfsg1-1

Detection & IOCsextracted from sources · hover to see the quote

pathwp-admin/includes/ajax-actions.php
pathwp-includes/comment.php
  • Monitor for unauthenticated comment submissions containing anchor (<a>) tags with crafted href/SEO attributes that may carry XSS payloads — the vulnerability stems from improper filtering of comment content and incorrect SEO handling of A elements.
  • Detect CSRF token bypass attempts against WordPress comment submission endpoints; the exploit chain relies on mishandled CSRF protection to deliver the XSS payload.
  • Alert on unexpected modifications to .php files via the WordPress admin interface (ajax-actions.php), which is the final stage of the RCE chain after XSS grants administrative access.
  • Flag exploitation attempts originating from unauthenticated users (no valid WordPress session cookie) that result in admin-level actions — the full RCE chain is exploitable without authentication in a default WordPress configuration.
  • ·The vulnerability is exploitable in a default WordPress configuration — no non-default settings are required, making all unpatched installs at risk.
  • ·Patched in WordPress 5.1.1; Debian packages fixed in 5.1.1+dfsg1-1 across all tracked suites (bookworm, bullseye, sid, trixie, forky).

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.