Published: 14/03/2019 Updated: 31/03/2019

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 608

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

WordPress prior to 5.1.1 does not properly filter comment content, leading to Remote Code Execution by unauthenticated users in a default configuration. This occurs because CSRF protection is mishandled, and because Search Engine Optimization of A elements is performed incorrectly, leading to XSS. The XSS results in administrative access, which allows arbitrary changes to .php files. This is related to wp-admin/includes/ajax-actions.php and wp-includes/comment.php.

Vulnerable Product	Search on Vulmon	Subscribe to Product
wordpress wordpress

Debian Bug report logs - #924546 wordpress: CVE-2019-9787: Comments may create a XSS Package: src:wordpress; Maintainer for src:wordpress is Craig Small <csmall@debianorg>; Reported by: Craig Small <csmall@debianorg> Date: Thu, 14 Mar 2019 10:24:02 UTC Severity: important Tags: security Found in versions wordpress ...

Several vulnerabilities were discovered in Wordpress, a web blogging tool They allowed remote attackers to perform various Cross-Side Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, create files on the server, disclose private information, create open redirects, poison cache, and bypass authorization access and input sanitation For ...

Overview PoC of CSRF CVE-2019-9787 WordPress Version 5.1.1

CVE-2019-9787 CSRF PoC Overview PoC of CSRF CVE-2019-9787 WordPress Version 511 CVE-2019-9787 Do not use this, EXCEPT for TEST purpose Installation docker-compose up -d Attack Access localhost:8080/wp-admin/installphp and install WordPress you only have to create WP admin account Access localhost:8080/?p=1#comm

mitigation-cve-2019-9787 POC simply xss :<script>alert('xss');</script> simple csrf: attacker's website code--- githubcom/kuangting4231/wordpressgithubio csrf remote code execution: attacker's website code--- githubcom/kuangting4231/assigment1githubio mitigation fix the logic flaw in the sanitization proce

Project 7 - WordPress Pentesting Time spent: 12 hours spent in total Objective: Find, analyze, recreate, and document Three vulnerabilities affecting an old version of WordPress Pentesting Report 1 Authenticated XSS in comments (CVE-2019-9787) Summary: Wordpress did not properly filter comments, leading to remote code execution by unauthenticated user configuration Vulne

CodePath Assignment for Weeks 7 & 8: CVE-2017-14719, CVE-2019-9787 & Unauthenticated Page/Post Content Modification via REST API

CodePath Week 7-8 CodePath Assignment for Weeks 7 & 8: CVE-2017-14719, CVE-2019-9787 & Unauthenticated Page/Post Content Modification via REST API Project 7 - WordPress Pentesting Time spent: 16 hours spent in total Objective: Find, analyze, recreate, and document vulnerabilities affecting an old version of WordPress Pentesting Report 1 CVE-2017-14719 Summa

Project 7 - WordPress Pentesting Time spent: 24 hours spent in total Objective: Find, analyze, recreate, and document 3 vulnerabilities affecting an old version of WordPress Pentesting Report 1 CVE-2017-9061 Summary: XSS via Large File Upload Error Vulnerability types: XSS Injection Tested in version: 420 Fixed in version: 4215 GIF Walkthrough: Found in file_size_

Try to reproduce this issue with Docker

Wordpress_CVE-2019-9787 Try to reproduce this issue with Docker with an auto install for wordpress PoC of CVE-2019-9787 CSRF WordPress Version up to 51 To demonstrate the full potential of CVE-2019-9787 you probably want a more nasty piece of code than the comment present in nginx/iframe-posthtml In my code I don't use the flaw in the Wordpress wp_filter_post_kses() Do

CVE-2019-9787 CSRF PoC Overview PoC of CVE-2019-9787 CSRF WordPress Version 50 refference Do not use this except for test purpose Installation $ docker-compose up -d access localhost:8080/ and install WordPress you only have to create WP admin account access localhost:8080/?p=1#comments as a visitor, and post comment li

pen testing project for codepath fall 2022

pentesting_project_sofcora pen testing project for codepath fall 2022 Time spent: 25-30 hours spent in total Objective: Find, analyze, recreate, and document five vulnerabilities affecting an old version of WordPress Pen Testing Report (Required) Vulnerability Name or ID Cross-site scripting in post title Summary: Vulnerability types: WordPress <= 422 - Authenticated

This is a recurrence of cve-2019-9787 on Wordpress and a hash-based defense.

Wordpress_cve-2019-9787_defense Notice This is a project by Sijia Zhang(githubcom/sijiahi) and Bowen Zhou(githubcom/KonjakZhou) **Prerequisite: 1 Recurrence Attack: - Configure and install Wordpress50 under localhost/wp-admin/; - Log in Wordpress as admin, post at least one article; - open malhtml(configured under another domain name, possibly directl

CWE-352 https://wordpress.org/support/wordpress-version/version-5-1-1/https://wordpress.org/news/2019/03/wordpress-5-1-1-security-and-maintenance-release/https://github.com/WordPress/WordPress/commit/0292de60ec78c5a44956765189403654fe4d080b https://blog.ripstech.com/2019/wordpress-csrf-to-rce/http://www.securityfocus.com/bid/107411 https://wpvulndb.com/vulnerabilities/9230 https://lists.debian.org/debian-lts-announce/2019/03/msg00044.html https://www.debian.org/security/2020/dsa-4677 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924546 https://nvd.nist.gov https://github.com/dexXxed/CVE-2019-9787 https://www.debian.org/security/2020/dsa-4677

Get Started

CVE-2019-9787

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect