Family: CGI abuses --> Category: attack
WordPress < 220.127.116.11 Multiple Vulnerabilities Vulnerability Scan
Vulnerability Scan Summary
Checks for multiple vulnerabilities in WordPress < 18.104.22.168
Detailed Explanation for this Vulnerability Test
The remote web server contains multiple PHP scripts that are prone to
various issues, including SQL injection and cross-site scripting
The version of WordPress installed on the remote host is prone to
several vulnerabilities :
- A SQL Injection Vulnerability
The bundled XML-RPC library fails to sanitize user-supplied
input to the 'xmlrpc.php' script. A possible hacker can exploit
this flaw to launch SQL injection attacks which may lead to
disclosure of the administrator's password hash, attacks
against the underlying database, and the like.
- Multiple Cross-Site Scripting Vulnerabilities
A possible hacker can pass arbitrary HTML and script code through
the 'p' and 'comment' parameters of the 'wp-admin/post.php'
script, which could result in disclosure of administrative
- Lost Password Security Issue
The application fails to initialize the variable 'message'
in 'wp_login.php' when notifying a user about a lost
password. If PHP's 'register_globals' setting is enabled,
a possible hacker can exploit this flaw to insert his own
text before the stock message from WordPress.
- Path Disclosure Vulnerabilities
By calling several scripts directly, a possible hacker can learn
the application's full installation path.
See also :
Upgrade to WordPress version 22.214.171.124 or later.
Medium / CVSS Base Score : 4
Click HERE for more information and discussions on this network vulnerability scan.