WordPress <= 4.7 – Cross-Site Request Forgery (CSRF) via Flash Upload | CVE 2017-5489

Affects WordPress

4.7

Fixed in WordPress 4.7.1

References

CVE

CVE-2017-5489

URL

https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/

URL

https://ahussam.me/Leaking-WordPress-CSRF-Tokens/

URL

https://hackerone.com/reports/149589

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-352

CVSS

8.8 (high)

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

ethicalhack3r

Verified

No

WPVDB ID

e84dcd32-d0da-442b-a00b-6fe69ba6b409

Timeline

Publicly Published

2017-01-11 (about 7 years ago)

Added

2017-01-12 (about 7 years ago)

Last Updated

2020-09-22 (about 3 years ago)

Other

Published

Title

Published

2023-04-13

Title

CoSchedule < 3.3.9 - CSRF

Published

2023-02-21

Title

Advanced Database Cleaner <= 3.1.1 - Settings Update via CSRF

Published

2020-09-16

Title

Lightweight Sidebar Manager < 1.1.5 - Cross-Site Request Forgery

Published

2023-12-26

Title

Block IPs for Gravity Forms < 1.0.2 - Cross-Site Request Forgery

Published

2024-03-04

Title

CM Download Manager < 2.9.0 - Download Deletion via CSRF