Vulnerability Details : CVE-2015-3438
Multiple cross-site scripting (XSS) vulnerabilities in WordPress before 4.1.2, when MySQL is used without strict mode, allow remote attackers to inject arbitrary web script or HTML via a (1) four-byte UTF-8 character or (2) invalid character that reaches the database layer, as demonstrated by a crafted character in a comment.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2015-3438
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
Threat overview for CVE-2015-3438
Top countries where our scanners detected CVE-2015-3438
Top open port discovered on systems with this issue
22
IPs affected by CVE-2015-3438 1
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2015-3438!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2015-3438
2.76%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 89 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-3438
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2015-3438
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-3438
-
http://www.securityfocus.com/bid/74269
WordPress Multiple Security Vulnerabilities
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157391.html
[SECURITY] Fedora 22 Update: wordpress-4.2.1-1.fc22
-
http://www.debian.org/security/2015/dsa-3250
Debian -- Security Information -- DSA-3250-1 wordpress
-
https://wpvulndb.com/vulnerabilities/7929
WordPress <= 4.1.1 - Unauthenticated Stored Cross-Site Scripting (XSS)
-
http://www.securitytracker.com/id/1032207
WordPress Input Validation Flaws Permit Cross-Site Scripting and SQL Injection Attacks - SecurityTracker
-
https://wordpress.org/news/2015/04/wordpress-4-1-2/
News – WordPress 4.1.2 Security Release – WordPress.orgPatch;Vendor Advisory
-
http://codex.wordpress.org/Version_4.1.2
Version 4.1.2 | WordPress.orgPatch
-
https://cedricvb.be/post/wordpress-stored-xss-vulnerability-4-1-2/
WordPress < 4.1.2 Stored XSS vulnerability - Cedric's CruftExploit
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158271.html
[SECURITY] Fedora 21 Update: wordpress-4.2.2-1.fc21
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158278.html
[SECURITY] Fedora 20 Update: wordpress-4.2.2-1.fc20
Jump to