WordPress 4.7.0-4.7.1 – Unauthenticated Page/Post Content Modification via REST API | CVE 2017-1001000

Affects WordPress

4.7

Fixed in WordPress 4.7.2

4.7.1

Fixed in WordPress 4.7.2

References

CVE

CVE-2017-1001000

URL

auxiliary/scanner/http/wordpress_content_injection

URL

https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html

URL

https://blogs.akamai.com/2017/02/wordpress-web-api-vulnerability.html

URL

https://gist.github.com/leonjza/2244eb15510a0687ed93160c623762ab

URL

https://github.com/WordPress/WordPress/commit/e357195ce303017d517aff944644a7a1232926f7

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

ethicalhack3r

Verified

No

WPVDB ID

ca45b052-aeb6-48ea-b675-0c0edf3405c3

Timeline

Publicly Published

2017-02-01 (about 7 years ago)

Added

2017-02-01 (about 7 years ago)

Last Updated

2020-09-22 (about 3 years ago)

Other

Published

Title

Published

2024-04-12

Title

Download Manager < 3.2.83 - Unauthenticated Password Protected File Bypass

Published

2019-06-21

Title

Seo By Rank Math <= 1.0.27 - Authenticated Settings Reset

Published

2019-09-24

Title

Rich Reviews < 1.8.0 - Unauthenticated Plugin Options Update

Published

2017-01-26

Title

WordPress 4.2.0-4.7.1 - Press This UI Available to Unauthorised Users

Published

2014-12-02

Title

InfiniteWP Client <= 1.3.7 - Privilege Escalation