VDB-99243 · CVE-2017-1001000 · BID 95816

WordPress up to 4.7.1 class-wp-rest-posts-controller.php register_routes access control

A vulnerability classified as critical has been found in WordPress up to 4.7.1. This affects the function register_routes of the file wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php. The manipulation leads to improper access controls. The CWE definition for the vulnerability is CWE-264. The bug was discovered 02/10/2017. The weakness was presented 04/03/2017 by Security Team with WordPress Security Team as e357195ce303017d517aff944644a7a1232926f7 (oss-sec). It is possible to read the advisory at openwall.com. This vulnerability is uniquely identified as CVE-2017-1001000. It is possible to initiate the attack remotely. Technical details are available. There is no exploit available. The pricing for an exploit might be around USD $0-$5k at the moment. The attack technique deployed by this issue is T1068 according to MITRE ATT&CK. It is declared as not defined. We expect the 0-day to have been worth approximately $5k-$25k. The vulnerability scanner Nessus provides a plugin with the ID 96906 (WordPress < 4.7.2 Multiple Vulnerabilities), which helps to determine the existence of the flaw in a target environment. The commercial vulnerability scanner Qualys is able to test this issue with plugin 11758 (WordPress Prior to 4.7.2 Multiple Security Vulnerabilities). Upgrading to version 4.7.2 is able to address this issue. The bugfix is ready for download at github.com. It is recommended to upgrade the affected component. A possible mitigation has been published even before and not after the disclosure of the vulnerability. The vulnerability is also documented other vulnerability databases: SecurityFocus (BID 95816), SecurityTracker (ID 1037731) and Tenable (96906).

Field04/03/2017 04:57 PM08/25/2020 12:01 PM11/24/2022 05:42 PM
typeContent Management SystemContent Management SystemContent Management System
nameWordPressWordPressWordPress
version<=4.7.1<=4.7.1<=4.7.1
filewp-includes/rest-api/endpoints/class-wp-rest-posts-controller.phpwp-includes/rest-api/endpoints/class-wp-rest-posts-controller.phpwp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php
functionregister_routesregister_routesregister_routes
discoverydate148668480014866848001486684800
cwe264 (access control)264 (access control)264 (access control)
risk111
cvss2_vuldb_basescore7.57.57.5
cvss2_vuldb_tempscore6.56.56.5
cvss2_vuldb_avNNN
cvss2_vuldb_acLLL
cvss2_vuldb_auNNN
cvss2_vuldb_ciPPP
cvss2_vuldb_iiPPP
cvss2_vuldb_aiPPP
cvss2_nvd_avNNN
cvss2_nvd_acLLL
cvss2_nvd_auNNN
cvss2_nvd_ciNNN
cvss2_nvd_iiPPP
cvss2_nvd_aiNNN
cvss3_meta_basescore6.96.96.9
cvss3_meta_tempscore6.66.66.7
cvss3_vuldb_basescore6.36.36.3
cvss3_vuldb_tempscore6.06.06.0
cvss3_vuldb_avNNN
cvss3_vuldb_acLLL
cvss3_vuldb_prNNN
cvss3_vuldb_uiRRR
cvss3_vuldb_sUUU
cvss3_vuldb_cLLL
cvss3_vuldb_iLLL
cvss3_vuldb_aLLL
cvss3_nvd_avNNN
cvss3_nvd_acLLL
cvss3_nvd_prNNN
cvss3_nvd_uiNNN
cvss3_nvd_sUUU
cvss3_nvd_cNNN
cvss3_nvd_iHHH
cvss3_nvd_aNNN
date1491177600 (04/03/2017)1491177600 (04/03/2017)1491177600 (04/03/2017)
locationoss-secoss-secoss-sec
urlhttp://www.openwall.com/lists/oss-security/2017/02/10/16http://www.openwall.com/lists/oss-security/2017/02/10/16http://www.openwall.com/lists/oss-security/2017/02/10/16
confirm_urlhttps://codex.wordpress.org/Version_4.7.2https://codex.wordpress.org/Version_4.7.2https://codex.wordpress.org/Version_4.7.2
price_0day$5k-$25k$5k-$25k$5k-$25k
nameUpgradeUpgradeUpgrade
date1485388800 (01/26/2017)1485388800 (01/26/2017)1485388800 (01/26/2017)
upgrade_version4.7.24.7.24.7.2
cveCVE-2017-1001000CVE-2017-1001000CVE-2017-1001000
cve_assigned1491091200 (04/02/2017)1491091200 (04/02/2017)1491091200 (04/02/2017)
cve_nvd_published149109120014910912001491091200
cve_nvd_summaryThe register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.The register_routes function in wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php in the REST API in WordPress 4.7.x before 4.7.2 does not require an integer identifier, which allows remote attackers to modify arbitrary pages via a request for wp-json/wp/v2/posts followed by a numeric value and a non-numeric value, as demonstrated by the wp-json/wp/v2/posts/123?id=123helloworld URI.
osvdb_titleWordPress register_routes function security bypassWordPress register_routes function security bypassWordPress register_routes function security bypass
securityfocus958169581695816
securityfocus_titleWordPress Prior to 4.7.2 Multiple Security VulnerabilitiesWordPress Prior to 4.7.2 Multiple Security VulnerabilitiesWordPress Prior to 4.7.2 Multiple Security Vulnerabilities
nessus_id969069690696906
nessus_nameWordPress < 4.7.2 Multiple VulnerabilitiesWordPress < 4.7.2 Multiple VulnerabilitiesWordPress < 4.7.2 Multiple Vulnerabilities
nessus_filenamewordpress_4_7_2.naslwordpress_4_7_2.naslwordpress_4_7_2.nasl
nessus_riskHighHighHigh
nessus_familyCGI abusesCGI abusesCGI abuses
nessus_typeremoteremoteremote
nessus_date1485820800 (01/31/2017)1485820800 (01/31/2017)1485820800 (01/31/2017)
openvas_id803448803448803448
openvas_filenamegb_wordpress_prior_472_mult_vuln_win.naslgb_wordpress_prior_472_mult_vuln_win.naslgb_wordpress_prior_472_mult_vuln_win.nasl
openvas_titleWordPress < 4.7.2 Multiple Security Vulnerabilities (Windows)WordPress < 4.7.2 Multiple Security Vulnerabilities (Windows)WordPress < 4.7.2 Multiple Security Vulnerabilities (Windows)
openvas_familyWeb application abusesWeb application abusesWeb application abuses
qualys_id117581175811758
qualys_titleWordPress Prior to 4.7.2 Multiple Security VulnerabilitiesWordPress Prior to 4.7.2 Multiple Security VulnerabilitiesWordPress Prior to 4.7.2 Multiple Security Vulnerabilities
seealso96275 96276 9627796275 96276 9627796275 96276 96277
cvss2_vuldb_eNDNDND
cvss2_vuldb_rlOFOFOF
cvss2_vuldb_rcNDNDND
cvss3_vuldb_eXXX
cvss3_vuldb_rlOOO
cvss3_vuldb_rcXXX
cvss3_nvd_basescore7.57.57.5
person_nameSecurity TeamSecurity Team
company_nameWordPress Security TeamWordPress Security Team
securityfocus_date1485388800 (01/26/2017)1485388800 (01/26/2017)
securityfocus_classInput Validation ErrorInput Validation Error
identifiere357195ce303017d517aff944644a7a1232926f7
patch_urlhttps://github.com/WordPress/WordPress/commit/e357195ce303017d517aff944644a7a1232926f7
sectracker1037731
cvss2_nvd_basescore5.0

Do you need the next level of professionalism?

Upgrade your account now!