[Japanese]

JVNDB-2022-000087

Multiple vulnerabilities in WordPress

Overview

WordPress contains multiple vulnerabilities listed below which are to the WordPress Post by Email Feature.
  • Stored Cross-site scripting (CWE-79) - CVE-2022-43497
  • Stored Cross-site scripting (CWE-79) - CVE-2022-43500
  • Improper authentication (CWE-287) - CVE-2022-43504

Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-43504

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-43497

CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2022-43500
Affected Products


WordPress.org
  • WordPress versions prior to 6.0.3

Impact

  • An arbitrary script may be executed on the web browser of the user who is accessing the website using the product - CVE-2022-43497, CVE-2022-43500
  • A remote unauthenticated attacker may obtain the email address of the user who posted a blog using the WordPress Post by Email Feature - CVE-2022-43504
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
According to the developer, these vulnerabilities have been fixed in version 6.0.3.
Vendor Information

WordPress.org
CWE (What is CWE?)

  1. Improper Authentication(CWE-287) [IPA Evaluation]
  2. Cross-site Scripting(CWE-79) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2022-43497
  2. CVE-2022-43500
  3. CVE-2022-43504
References

  1. JVN : JVN#09409909
  2. National Vulnerability Database (NVD) : CVE-2022-43497
  3. National Vulnerability Database (NVD) : CVE-2022-43500
  4. National Vulnerability Database (NVD) : CVE-2022-43504
Revision History

  • [2022/11/08]
      Web page was published
  • [2024/06/06]
      References : Contents were added

Date Public2022/11/08
Date First Published2022/11/08
Date Last Updated2024/06/06