CVE-2017-5490

Published: 15 January 2017

Cross-site scripting (XSS) vulnerability in the theme-name fallback functionality in wp-includes/class-wp-theme.php in WordPress before 4.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted directory name of a theme, related to wp-admin/includes/class-theme-installer-skin.php.

Priority

CVSS 3 base score: 6.1

Status

Package	Release	Status
wordpress Launchpad, Ubuntu, Debian	artful	Not vulnerable (4.7.1+dfsg-1)
	bionic	Not vulnerable (4.7.1+dfsg-1)
	cosmic	Not vulnerable (4.7.1+dfsg-1)
	disco	Not vulnerable (4.7.1+dfsg-1)
	eoan	Not vulnerable (4.7.1+dfsg-1)
	focal	Not vulnerable (4.7.1+dfsg-1)
	groovy	Not vulnerable (4.7.1+dfsg-1)
	hirsute	Not vulnerable (4.7.1+dfsg-1)
	impish	Not vulnerable (4.7.1+dfsg-1)
	jammy	Not vulnerable (4.7.1+dfsg-1)
	precise	Does not exist (precise was needs-triage)
	trusty	Does not exist (trusty was needed)
	upstream	Released (4.7.1+dfsg-1)
	xenial	Ignored (end of standard support, was needed)
	yakkety	Ignored (reached end-of-life)
	zesty	Not vulnerable (4.7.1+dfsg-1)

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851310

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›