[Japanese]

JVNDB-2011-000109

WordPress vulnerable to arbitrary PHP code execution

Overview

WordPress contains a vulnerability where arbitrary PHP code may be executed.

WordPress provided by WordPress.Org is a weblog system. WordPress contains a vulnerability where arbitrary PHP code may be executed.

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


WordPress.org
  • WordPress versions prior to 3.3

Impact

Arbitrary PHP code may be executed with the privilege of the application on the server where it resides.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.
Vendor Information

WordPress.org
CWE (What is CWE?)

  1. Code Injection(CWE-94) [IPA Evaluation]
CVE (What is CVE?)

References

  1. JVN : JVN#40498018
Revision History

[2011/12/26]
  Web page was published