CVE-2017-5493

Description

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

How to fix CVE-2017-5493

To remediate CVE-2017-5493, upgrade the affected package to a fixed version below.

Debian/wordpress—upgrade to 4.7.1+dfsg-1 or later

Is CVE-2017-5493 being exploited?

Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.7.1+dfsg-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-5493