CVE-2016-6897
WordPress Core < 4.6 - Cross-Site Request Forgery
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to the check_ajax_referer function, a related issue to CVE-2016-6896.
Vulnerabilidad de CSRF en la función wp_ajax_update_plugin en wp-admin/includes/ajax-actions.php en WordPress en versiones anteriores a 4.6 permite a atacantes remotos secuestrar la autenticación de subscriptores para operaciones de lectura /dev/random aprovechando una llamada tardía a la función check_ajax_referer, un caso relacionado con CVE-2016-6896.
Cross-site request forgery (CSRF) vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 allows remote attackers to hijack the authentication of subscribers for /dev/random read operations by leveraging a late call to
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-08-16 CVE Published
- 2016-08-22 CVE Reserved
- 2024-06-30 EPSS Updated
- 2024-08-06 CVE Updated
- 2024-08-06 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2016/08/20/1 | Mailing List |
|
| http://www.securityfocus.com/bid/92572 | Vdb Entry | |
| http://www.securitytracker.com/id/1036683 | Vdb Entry | |
| https://github.com/WordPress/WordPress/commit/8c82515ab62b88fb32d01c9778f0204b296f3568 | X_refsource_confirm | |
| https://sumofpwn.nl/advisory/2016/path_traversal_vulnerability_in_wordpress_core_ajax_handlers.html | X_refsource_misc | |
| https://wpvulndb.com/vulnerabilities/8606 | X_refsource_misc | |
| - |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/40288 | 2024-08-06 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Wordpress Search vendor "Wordpress" | Wordpress Search vendor "Wordpress" for product "Wordpress" | <= 4.5.5 Search vendor "Wordpress" for product "Wordpress" and version " <= 4.5.5" | - |
Affected
| ||||||