WordPress Comment Content Filtering Remote Code Execution Vulnerability



A vulnerability in WordPress could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists because the affected software has insufficient cross-site request forgery (CSRF) protection in the comment form and it incorrectly performs search engine optimization of A elements. An attacker could exploit this vulnerability by posting a comment on a targeted WordPress site and including a link that submits malicious input to the site. If a site administrator accesses the malicious link, the attacker could conduct a cross-site scripting (XSS) attack and execute arbitrary code with administrative privileges. A successful exploit could result in a complete compromise of the affected site.

Proof-of-concept (PoC) code that demonstrates an exploit of this vulnerability is publicly available.

WordPress has confirmed the vulnerability and released software updates.

Security Impact Rating: High

CVE: CVE-2019-9787

Source:: Cisco Multivendor Vulnerability Alerts