Vulnerability Scanning Solutions, LLC.
Our Process
What We Scan For
Sample Report
Client List
Contact Us
What We Scan For
Family: CGI abuses --> Category: attack

WordPress < Multiple Vulnerabilities Vulnerability Scan

Vulnerability Scan Summary
Checks for multiple vulnerabilities in WordPress <

Detailed Explanation for this Vulnerability Test

Synopsis :

The remote web server contains multiple PHP scripts that are prone to
various issues, including SQL injection and cross-site scripting

Description :

The version of WordPress installed on the remote host is prone to
several vulnerabilities :

- A SQL Injection Vulnerability
The bundled XML-RPC library fails to sanitize user-supplied
input to the 'xmlrpc.php' script. A possible hacker can exploit
this flaw to launch SQL injection attacks which may lead to
disclosure of the administrator's password hash, attacks
against the underlying database, and the like.

- Multiple Cross-Site Scripting Vulnerabilities
A possible hacker can pass arbitrary HTML and script code through
the 'p' and 'comment' parameters of the 'wp-admin/post.php'
script, which could result in disclosure of administrative
session cookies.

- Lost Password Security Issue
The application fails to initialize the variable 'message'
in 'wp_login.php' when notifying a user about a lost
password. If PHP's 'register_globals' setting is enabled,
a possible hacker can exploit this flaw to insert his own
text before the stock message from WordPress.

- Path Disclosure Vulnerabilities
By calling several scripts directly, a possible hacker can learn
the application's full installation path.

See also :

Solution :

Upgrade to WordPress version or later.

Threat Level:

Medium / CVSS Base Score : 4

Click HERE for more information and discussions on this network vulnerability scan.


P.O. Box 827051

Pembroke Pines, FL 33082-7051

Vulnerability Scanning Solutions, LLC.