Vulnerability Details : CVE-2015-3440
Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.1 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2015-3440
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
Threat overview for CVE-2015-3440
Top countries where our scanners detected CVE-2015-3440
Top open port discovered on systems with this issue
22
IPs affected by CVE-2015-3440 6
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2015-3440!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2015-3440
64.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 98 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-3440
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2015-3440
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-3440
-
https://klikki.fi/adv/wordpress2.html
Klikki Oy - WordPress 4.2 Stored XSSExploit
-
http://seclists.org/fulldisclosure/2015/Apr/84
Full Disclosure: WordPress 4.2 stored XSSExploit
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/157391.html
[SECURITY] Fedora 22 Update: wordpress-4.2.1-1.fc22
-
http://www.debian.org/security/2015/dsa-3250
Debian -- Security Information -- DSA-3250-1 wordpress
-
https://core.trac.wordpress.org/changeset/32299
Changeset 32299 – WordPress Trac
-
http://packetstormsecurity.com/files/131644/WordPress-4.2-Cross-Site-Scripting.html
WordPress 4.2 Cross Site Scripting ≈ Packet StormExploit
-
https://wordpress.org/news/2015/04/wordpress-4-2-1/
News – WordPress 4.2.1 Security Release – WordPress.orgPatch;Vendor Advisory
-
https://www.exploit-db.com/exploits/36844/
WordPress 4.2 - Persistent Cross-Site ScriptingExploit
-
http://www.securitytracker.com/id/1032199
WordPress Input Validation Flaw in Processing Large Comments Permits Cross-Site Scripting Attacks - SecurityTracker
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158271.html
[SECURITY] Fedora 21 Update: wordpress-4.2.2-1.fc21
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158278.html
[SECURITY] Fedora 20 Update: wordpress-4.2.2-1.fc20
-
http://codex.wordpress.org/Version_4.2.1
Version 4.2.1 | WordPress.org
-
https://wpvulndb.com/vulnerabilities/7945
WordPress <= 4.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
-
http://www.securityfocus.com/bid/74334
WordPress Comment Section HTML Injection Vulnerability
Jump to