PT-2017-10974 · WordPress · Wordpress
Marc-Alexandre Montpas
·
Publicado
2017-04-03
·
Atualizado
2019-10-03
·
CVE-2017-1001000
CVSS v3.1
7.5
Alta
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
WordPress versions 4.7.0 through 4.7.1
Description
The issue allows remote attackers to modify arbitrary pages. This is achieved by exploiting the
register routes function in the REST API, which does not require an integer identifier. Attackers can send a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value. For example, the wp-json/wp/v2/posts/123?id=123helloworld URI can be used for this purpose.Recommendations
For WordPress versions 4.7.0 through 4.7.1, update to version 4.7.2 or later to resolve the issue.
Exploit
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Wordpress