CVE-2017-5490 in WordPressinfo

Summary

by MITRE

Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/13/2026

The vulnerability identified as CVE-2017-5490 represents a critical cross-site scripting flaw within the WordPress content management system that specifically targets the theme installation and management functionality. This vulnerability exists in the wp-includes/class-wp-theme.php file and affects WordPress versions prior to 4.7.1, making it a significant concern for millions of WordPress installations worldwide. The flaw manifests in the theme-name fallback mechanism where the system fails to properly sanitize user input when processing theme directory names during installation processes. Attackers can exploit this weakness by crafting malicious directory names that contain embedded script code, which then gets executed when the system displays theme information in the administrative interface. The vulnerability is particularly dangerous because it operates at the core theme installation functionality, allowing attackers to inject arbitrary web scripts or HTML content directly into the WordPress administration environment.

The technical implementation of this vulnerability stems from inadequate input validation and output encoding within the WordPress theme handling system. When WordPress processes theme installations, it relies on directory names to determine theme properties and display information to administrators. The wp-admin/includes/class-theme-installer-skin.php file interacts with the vulnerable wp-includes/class-wp-theme.php functionality to render theme names in the user interface, creating an injection point where malicious input can bypass standard sanitization measures. This issue falls under the CWE-79 category of Cross-Site Scripting, specifically representing a stored XSS vulnerability where malicious payloads are stored in the system and executed when other users view the affected theme information. The vulnerability operates through the theme installation workflow where directory names are not properly escaped before being rendered in HTML contexts, allowing attackers to inject script tags, event handlers, or other malicious code that executes in the context of authenticated administrator sessions.

The operational impact of CVE-2017-5490 extends beyond simple script injection, as it can enable attackers to gain full administrative control over vulnerable WordPress installations. When an administrator views the theme installation interface or theme management screens, the malicious code embedded in the crafted directory name executes in their browser, potentially allowing attackers to steal session cookies, execute arbitrary commands, or redirect users to malicious sites. This vulnerability directly maps to ATT&CK technique T1190 for exploiting vulnerabilities in web applications and can be leveraged for privilege escalation within WordPress environments. The attack vector requires minimal user interaction beyond visiting the affected administrative pages, making it particularly dangerous in environments where administrators regularly access theme installation and management interfaces. The vulnerability also presents risks in multi-user environments where attackers might compromise less privileged users to gain access to administrator accounts through session hijacking or credential theft.

Mitigation strategies for this vulnerability require immediate patching of WordPress installations to version 4.7.1 or later, which contains the necessary fixes for proper input sanitization and output encoding. Organizations should implement comprehensive security monitoring to detect unauthorized theme installations or modifications to theme directories, as well as establish regular security audits of WordPress installations to identify potential exploitation attempts. The fix implemented in WordPress 4.7.1 addresses the root cause by ensuring proper HTML escaping of theme names before rendering them in administrative interfaces, preventing the execution of malicious scripts. Security measures should also include implementing web application firewalls to monitor for suspicious directory naming patterns and establishing strict access controls for theme installation capabilities. Additionally, administrators should regularly update their WordPress core, plugins, and themes to maintain protection against similar vulnerabilities, while also implementing security hardening practices such as disabling unnecessary administrative functions and restricting file upload capabilities to prevent exploitation through alternative attack vectors.

Reservation

01/14/2017

Disclosure

01/14/2017

Moderation

accepted

Entry

VDB-95350

CPE

ready

Exploit

Download

EPSS

0.02436

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!