ID CVE-2015-5730
Summary The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated.
References
Vulnerable Configurations
  • WordPress 4.2.3
    cpe:2.3:a:wordpress:wordpress:4.2.3
CVSS
Base: 5.0 (as of 09-11-2015 - 11:16)
Impact:
Exploitability:
CWE CWE-200
CAPEC
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Reusing Session IDs (aka Session Replay)
    This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family CGI abuses
    NASL id WORDPRESS_4_2_4.NASL
    description According to its version number, the WordPress application running on the remote web server is prior to 4.2.4. It is, therefore, potentially affected by multiple vulnerabilities : - A SQL injection vulnerability exists in the post.php script due to a failure to sanitize user-supplied input to the 'comment_ID' parameter before using it in SQL queries. A remote attacker can exploit this to inject SQL queries against the back-end database, allowing the disclosure or manipulation of data. (CVE-2015-2213) - The class-wp-customize-widgets.php script contains an unspecified flaw that allows an attacker to perform a side-channel timing attack. No other details are available. (CVE-2015-5730) - A cross-site scripting vulnerability exists due to the default-widgets.php script not validating input to widget titles before returning it to users. A remote attacker, using a crafted request, can exploit this to execute arbitrary script in the user's browser session. (CVE-2015-5732) - A cross-site scripting vulnerability exists due to the nav-menu.js script not validating input to accessibility helper titles before returning it to users. A remote attacker, using a crafted request, can exploit this to execute arbitrary script in the user's browser session. (CVE-2015-5733) - A cross-site scripting vulnerability exists due to the theme.php script not validating input before returning it to users. A remote attacker, using a crafted request, can exploit this to execute arbitrary script in the user's browser session. (CVE-2015-5734) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-08-07
    plugin id 85243
    published 2015-08-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85243
    title WordPress < 4.2.4 Multiple Vulnerabilities
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3332.NASL
    description Several vulnerabilities have been fixed in Wordpress, the popular blogging engine. - CVE-2015-2213 SQL Injection allowed a remote attacker to compromise the site. - CVE-2015-5622 The robustness of the shortcodes HTML tags filter has been improved. The parsing is a bit more strict, which may affect your installation. This is the corrected version of the patch that needed to be reverted in DSA 3328-2. - CVE-2015-5730 A potential timing side-channel attack in widgets. - CVE-2015-5731 An attacker could lock a post that was being edited. - CVE-2015-5732 Cross site scripting in a widget title allows an attacker to steal sensitive information. - CVE-2015-5734 Fix some broken links in the legacy theme preview. The issues were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandi of the WordPress security team, Netanel Rubin of Check Point, Ivan Grigorov, Johannes Schmitt of Scrutinizer and Mohamed A. Baset.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 85355
    published 2015-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85355
    title Debian DSA-3332-1 : wordpress - security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-12750.NASL
    description **WordPress 4.2.4 Security and Maintenance Release** WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandi of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset. Our thanks to those who have practiced responsible disclosure of security issues. WordPress 4.2.4 also fixes four bugs. For more information, see: the release notes or consult the list of changes. - the release notes: https://codex.wordpress.org/Version_4.2.4 - the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=3 3573&stop_rev=33396 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-11-10
    plugin id 85317
    published 2015-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85317
    title Fedora 23 : wordpress-4.2.4-1.fc23 (2015-12750)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_AC5EC8E33C6C11E5B92100A0986F28C4.NASL
    description Gary Pendergast reports : WordPress 4.2.4 fixes three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 85258
    published 2015-08-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85258
    title FreeBSD : wordpress -- Multiple vulnerability (ac5ec8e3-3c6c-11e5-b921-00a0986f28c4)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-12148.NASL
    description **WordPress 4.2.4 Security and Maintenance Release** WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandi of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset. Our thanks to those who have practiced responsible disclosure of security issues. WordPress 4.2.4 also fixes four bugs. For more information, see: the release notes or consult the list of changes. - the release notes: https://codex.wordpress.org/Version_4.2.4 - the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=3 3573&stop_rev=33396 **WordPress 4.2.3 Security and Maintenance Release** WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnonen. We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies. Our thanks to those who have practiced responsible disclosure of security issues. WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see : - the release notes: https://codex.wordpress.org/Version_4.2.3 - the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=3 3382&stop_rev=32430 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-11-10
    plugin id 85389
    published 2015-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85389
    title Fedora 21 : wordpress-4.2.4-1.fc21 (2015-12148)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-12235.NASL
    description **WordPress 4.2.4 Security and Maintenance Release** WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandi of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset. Our thanks to those who have practiced responsible disclosure of security issues. WordPress 4.2.4 also fixes four bugs. For more information, see: the release notes or consult the list of changes. - the release notes: https://codex.wordpress.org/Version_4.2.4 - the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=3 3573&stop_rev=33396 **WordPress 4.2.3 Security and Maintenance Release** WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnonen. We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies. Our thanks to those who have practiced responsible disclosure of security issues. WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see : - the release notes: https://codex.wordpress.org/Version_4.2.3 - the list of changes: https://core.trac.wordpress.org/log/branches/4.2?rev=3 3382&stop_rev=32430 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-11-10
    plugin id 85390
    published 2015-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85390
    title Fedora 22 : wordpress-4.2.4-1.fc22 (2015-12235)
refmap via4
bid 76160
confirm
debian DSA-3332
misc https://wpvulndb.com/vulnerabilities/8130
mlist [oss-security] 20150804 Re: CVE request: WordPress 4.2.3 and earlier multiple vulnerabilities
sectrack 1033178
Last major update 07-12-2016 - 13:17
Published 09-11-2015 - 06:59
Last modified 20-09-2017 - 21:29
Back to Top