WordPress 2.8-4.7 – Accessibility Mode Cross-Site Request Forgery (CSRF) | CVE 2017-5492

Affects WordPress

3.8.1

Fixed in WordPress 3.8.17

3.8

Fixed in WordPress 3.8.17

3.7.1

Fixed in WordPress 3.7.17

3.6

Fixed in WordPress 4.7.1

3.5.2

Fixed in WordPress 4.7.1

3.5.1

Fixed in WordPress 4.7.1

3.5

Fixed in WordPress 4.7.1

3.4.2

Fixed in WordPress 4.7.1

3.4.1

Fixed in WordPress 4.7.1

3.4

Fixed in WordPress 4.7.1

3.3.3

Fixed in WordPress 4.7.1

3.3.2

Fixed in WordPress 4.7.1

3.3.1

Fixed in WordPress 4.7.1

3.3

Fixed in WordPress 4.7.1

3.2.1

Fixed in WordPress 4.7.1

3.2

Fixed in WordPress 4.7.1

3.1.4

Fixed in WordPress 4.7.1

3.1.3

Fixed in WordPress 4.7.1

3.1.2

Fixed in WordPress 4.7.1

3.1.1

Fixed in WordPress 4.7.1

3.1

Fixed in WordPress 4.7.1

3.0.6

Fixed in WordPress 4.7.1

3.0.5

Fixed in WordPress 4.7.1

3.0.4

Fixed in WordPress 4.7.1

3.0.3

Fixed in WordPress 4.7.1

3.0.2

Fixed in WordPress 4.7.1

3.0.1

Fixed in WordPress 4.7.1

3.0

Fixed in WordPress 4.7.1

2.9.2

Fixed in WordPress 4.7.1

2.9.1

Fixed in WordPress 4.7.1

2.9

Fixed in WordPress 4.7.1

2.8.6

Fixed in WordPress 4.7.1

2.8.5

Fixed in WordPress 4.7.1

2.8.4

Fixed in WordPress 4.7.1

2.8.3

Fixed in WordPress 4.7.1

2.8.2

Fixed in WordPress 4.7.1

2.8.1

Fixed in WordPress 4.7.1

2.8

Fixed in WordPress 4.7.1

3.6.1

Fixed in WordPress 4.7.1

3.9

Fixed in WordPress 3.9.15

3.9.1

Fixed in WordPress 3.9.15

3.7

Fixed in WordPress 3.7.17

3.8.2

Fixed in WordPress 3.8.17

3.8.3

Fixed in WordPress 3.8.17

3.9.2

Fixed in WordPress 3.9.15

4.0

Fixed in WordPress 4.0.14

4.1

Fixed in WordPress 4.1.14

4.1.1

Fixed in WordPress 4.1.14

4.2

Fixed in WordPress 4.2.11

3.9.3

Fixed in WordPress 3.9.15

4.1.2

Fixed in WordPress 4.1.14

4.2.1

Fixed in WordPress 4.2.11

4.0.1

Fixed in WordPress 4.0.14

4.1.5

Fixed in WordPress 4.1.14

4.1.4

Fixed in WordPress 4.1.14

4.1.3

Fixed in WordPress 4.1.14

3.8.4

Fixed in WordPress 3.8.17

3.7.4

Fixed in WordPress 3.7.17

4.2.3

Fixed in WordPress 4.2.11

3.8.8

Fixed in WordPress 3.8.17

3.8.5

Fixed in WordPress 3.8.17

3.8.6

Fixed in WordPress 3.8.17

3.8.7

Fixed in WordPress 3.8.17

3.7.2

Fixed in WordPress 3.7.17

3.7.3

Fixed in WordPress 3.7.17

3.7.5

Fixed in WordPress 3.7.17

3.7.6

Fixed in WordPress 3.7.17

3.7.7

Fixed in WordPress 3.7.17

3.7.8

Fixed in WordPress 3.7.17

3.7.9

Fixed in WordPress 3.7.17

3.8.9

Fixed in WordPress 3.8.17

3.9.4

Fixed in WordPress 3.9.15

3.9.5

Fixed in WordPress 3.9.15

3.9.6

Fixed in WordPress 3.9.15

3.9.7

Fixed in WordPress 3.9.15

4.0.2

Fixed in WordPress 4.0.14

4.0.3

Fixed in WordPress 4.0.14

4.0.4

Fixed in WordPress 4.0.14

4.0.5

Fixed in WordPress 4.0.14

4.0.6

Fixed in WordPress 4.0.14

4.1.6

Fixed in WordPress 4.1.14

4.2.2

Fixed in WordPress 4.2.11

4.2.4

Fixed in WordPress 4.2.11

4.1.7

Fixed in WordPress 4.1.14

4.0.7

Fixed in WordPress 4.0.14

3.9.8

Fixed in WordPress 3.9.15

3.8.10

Fixed in WordPress 3.8.17

3.7.10

Fixed in WordPress 3.7.17

4.3

Fixed in WordPress 4.3.7

4.3.1

Fixed in WordPress 4.3.7

4.2.5

Fixed in WordPress 4.2.11

4.1.8

Fixed in WordPress 4.1.14

4.0.8

Fixed in WordPress 4.0.14

3.9.9

Fixed in WordPress 3.9.15

3.8.11

Fixed in WordPress 3.8.17

3.7.11

Fixed in WordPress 3.7.17

4.4

Fixed in WordPress 4.4.6

3.7.12

Fixed in WordPress 3.7.17

3.8.12

Fixed in WordPress 3.8.17

3.9.10

Fixed in WordPress 3.9.15

4.0.9

Fixed in WordPress 4.0.14

4.1.9

Fixed in WordPress 4.1.14

4.2.6

Fixed in WordPress 4.2.11

4.3.2

Fixed in WordPress 4.3.7

4.4.1

Fixed in WordPress 4.4.6

4.4.2

Fixed in WordPress 4.4.6

4.3.3

Fixed in WordPress 4.3.7

4.2.7

Fixed in WordPress 4.2.11

4.1.10

Fixed in WordPress 4.1.14

4.0.10

Fixed in WordPress 4.0.14

3.9.11

Fixed in WordPress 3.9.15

3.8.13

Fixed in WordPress 3.8.17

3.7.13

Fixed in WordPress 3.7.17

4.5

Fixed in WordPress 4.5.5

4.5.1

Fixed in WordPress 4.5.5

3.7.14

Fixed in WordPress 3.7.17

3.8.14

Fixed in WordPress 3.8.17

3.9.12

Fixed in WordPress 3.9.15

4.0.11

Fixed in WordPress 4.0.14

4.1.11

Fixed in WordPress 4.1.14

4.2.8

Fixed in WordPress 4.2.11

4.3.4

Fixed in WordPress 4.3.7

4.4.3

Fixed in WordPress 4.4.6

4.5.2

Fixed in WordPress 4.5.5

4.5.3

Fixed in WordPress 4.5.5

3.7.15

Fixed in WordPress 3.7.17

3.8.15

Fixed in WordPress 3.8.17

3.9.13

Fixed in WordPress 3.9.15

4.0.12

Fixed in WordPress 4.0.14

4.1.12

Fixed in WordPress 4.1.14

4.2.9

Fixed in WordPress 4.2.11

4.3.5

Fixed in WordPress 4.3.7

4.4.4

Fixed in WordPress 4.4.6

4.6

Fixed in WordPress 4.6.2

3.7.16

Fixed in WordPress 3.7.17

3.8.16

Fixed in WordPress 3.8.17

3.9.14

Fixed in WordPress 3.9.15

4.0.13

Fixed in WordPress 4.0.14

4.1.13

Fixed in WordPress 4.1.14

4.2.10

Fixed in WordPress 4.2.11

4.3.6

Fixed in WordPress 4.3.7

4.4.5

Fixed in WordPress 4.4.6

4.5.4

Fixed in WordPress 4.5.5

4.6.1

Fixed in WordPress 4.6.2

4.7

Fixed in WordPress 4.7.1

References

CVE

CVE-2017-5492

URL

https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733

URL

https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

CVSS

8.8 (high)

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

ethicalhack3r

Verified

No

WPVDB ID

e080c934-6a98-4726-8e7a-43a718d05e79

Timeline

Publicly Published

2017-01-11 (about 7 years ago)

Added

2017-01-12 (about 7 years ago)

Last Updated

2020-09-22 (about 3 years ago)

Other

Published

Title

Published

2022-09-27

Title

Manage Notification E-mails < 1.8.3 - Settings Reset via CSRF

Published

2023-10-12

Title

WP Bing Map Pro < 5.0 - CSRF

Published

2023-10-17

Title

WP Radio <= 3.1.9 - CSRF

Published

2024-04-26

Title

WP GDPR Compliance <= 2.0.23 - Cross-Site Request Forgery

Published

2014-08-01

Title

WordPress 3.4.2 - Cross-Site Request Forgery (CSRF)