ThreatPress

WordPress Vulnerabilities Database

Back

WordPress 3.7-4.9 - newbloguser Key Bypass

Product
WordPress
Description
In wp-admin/user-new.php the newbloguser key is set to a string that can be get from the user ID, which allows an attacker to bypass intended access restrictions by entering this string.
Solution
Update WordPress to 4.9.1
Classification
Type BYPASS
References
CVE
WordPress Changelog
CVE
Name CVE-2017-17091
Versions
Affected In <= 4.9
Fixed In 4.9.1
Disclosure date
2017-11-29