A vulnerability in WordPress could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.
The vulnerability exists because the affected software has insufficient cross-site request forgery (CSRF) protection in the comment form and it incorrectly performs search engine optimization of A elements. An attacker could exploit this vulnerability by posting a comment on a targeted WordPress site and including a link that submits malicious input to the site. If a site administrator accesses the malicious link, the attacker could conduct a cross-site scripting (XSS) attack and execute arbitrary code with administrative privileges. A successful exploit could result in a complete compromise of the affected site.
Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.
WordPress has confirmed the vulnerability and released software updates.
Security Impact Rating: High