Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.
References
Link | Resource |
---|---|
https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/ | Patch Vendor Advisory |
https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html | Third Party Advisory |
https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0 | Patch |
https://codex.wordpress.org/Version_4.6.1 | Patch |
http://www.securityfocus.com/bid/92841 | Third Party Advisory VDB Entry |
http://www.openwall.com/lists/oss-security/2016/09/08/24 | Third Party Advisory |
http://www.openwall.com/lists/oss-security/2016/09/08/19 | Third Party Advisory |
https://wpvulndb.com/vulnerabilities/8615 | |
http://www.debian.org/security/2016/dsa-3681 |
Configurations
Information
Published : 2017-01-04 18:59
Updated : 2017-11-03 18:29
NVD link : CVE-2016-7168
Mitre link : CVE-2016-7168
JSON object : View
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Products Affected
wordpress
- wordpress