Vulnerability Details : CVE-2017-5612

Cross-site scripting (XSS) vulnerability in wp-admin/includes/class-wp-posts-list-table.php in the posts list table in WordPress before 4.7.2 allows remote attackers to inject arbitrary web script or HTML via a crafted excerpt.

Vulnerability category: Cross site scripting (XSS)

Published 2017-01-30 04:59:01

Updated 2019-03-19 12:27:34

Source Debian GNU/Linux

View at NVD, CVE.org

Threat overview for CVE-2017-5612

Top countries where our scanners detected CVE-2017-5612

Top open port discovered on systems with this issue 80

IPs affected by CVE-2017-5612 22

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2017-5612!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2017-5612

Probability of exploitation activity in the next 30 days: 0.23%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 60 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2017-5612

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	nvd@nist.gov
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.1	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N	2.8	2.7	nvd@nist.gov
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2017-5612

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-5612

https://codex.wordpress.org/Version_4.7.2

Version 4.7.2 | WordPress.org
Release Notes

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2017/01/28/5

oss-security - Re: CVE Request: Wordpress: 4.7.2 security release: unauthorized bypass, SQL injection, cross-site scripting issues
Mailing List;Third Party Advisory

CVEs referencing this url
https://wpvulndb.com/vulnerabilities/8731

WordPress 4.3.0-4.7.1 - Cross-Site Scripting (XSS) in posts list table
Third Party Advisory
https://github.com/WordPress/WordPress/commit/4482f9207027de8f36630737ae085110896ea849

Posts, Post Types: When using Excerpt mode on the Posts list table, e… · WordPress/WordPress@4482f92 · GitHub
Issue Tracking;Patch
http://www.securitytracker.com/id/1037731

WordPress Bugs Let Remote Users Conduct Cross-Site Scripting and SQL Injection Attacks, Obtain Potentially Sensitive Information, and Gain Elevated Privileges - SecurityTracker
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.securityfocus.com/bid/95816

WordPress Prior to 4.7.2 Multiple Security Vulnerabilities
Third Party Advisory;VDB Entry

CVEs referencing this url
http://www.debian.org/security/2017/dsa-3779

Debian -- Security Information -- DSA-3779-1 wordpress
Third Party Advisory

CVEs referencing this url
https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/

News – WordPress 4.7.2 Security Release – WordPress.org
Patch;Vendor Advisory

CVEs referencing this url

Products affected by CVE-2017-5612

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Wordpress » Wordpress
Versions up to, including, (<=) 4.7.1
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
Matching versions