CVE-2016-6897

Name of the Vulnerable Software and Affected Versions WordPress versions prior to 4.6

Description A cross-site request forgery (CSRF) issue exists, allowing remote attackers to hijack the authentication of subscribers for certain operations by leveraging a late call to the check ajax referer function. This issue is related to a problem where attackers can perform actions on behalf of authenticated users.

Recommendations For WordPress versions prior to 4.6, update to version 4.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the wp ajax update plugin function in wp-admin/includes/ajax-actions.php until a patch is applied. Avoid using the vulnerable function for sensitive operations until the issue is resolved.