CVE-2019-9787

Affecting wordpress package, versions debian:10: <5.0.4+dfsg1-1 || debian:8: <4.1.26+dfsg-1+deb8u1 || debian:9: * || debian:unstable: <5.1.1+dfsg1-1

low severity
Do your applications use this vulnerable package? Test your applications

Overview

WordPress before 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

References

CVE
CVE-2019-9787
Snyk ID
SNYK-LINUX-WORDPRESS-440534
Published
14 Mar, 2019