// For flags

CVE-2019-9787

WordPress Core < 5.1.1 - Cross-Site Request Forgery to Cross-Site Scripting via Comments

Severity Score

9.6
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

WordPress, en versiones anteriores a la 5.1.1, no filtra correctamente el contenido, lo que conduce a la ejecución remota de código por parte de usuarios no autenticados en una configuración por defecto. Esto ocurre debido a que la protección CSRF se gestiona de manera incorrecta y porque la optimización del motor de búsqueda de los elementos A se realiza incorrectamente, lo que desemboca en Cross-Site Scripting (XSS). El XSS resulta en un acceso administrativo, lo que permite cambios arbitrarios en archivos .php. Esto está relacionado con wp-admin/includes/ajax-actions.php y wp-includes/comment.php.

*Credits: Simon Scannell
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-03-14 CVE Reserved
  • 2019-03-14 CVE Published
  • 2021-06-29 First Exploit
  • 2024-08-04 CVE Updated
  • 2024-10-31 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Wordpress
Search vendor "Wordpress"
Wordpress
Search vendor "Wordpress" for product "Wordpress"
< 5.1.1
Search vendor "Wordpress" for product "Wordpress" and version " < 5.1.1"
-
Affected