ThreatPress

WordPress Vulnerabilities Database

Back

WordPress <= 4.2.3 - Multiple Vulnerabilities

Product
WordPress
Description
WordPress 4.2.3 is prone to a cross site scripting and SQL injection vulnerabilities that exist because the sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php does not use a constant-time comparison for widgets. In this way an attacker can execute a timing side-channel attack by measuring the delay before inequality is calculated.
Solution
Update WordPress.
Classification
Type Multi
References
CVE Mitre
CVE
Name CVE-2015-5730
Versions
Affected In <= 4.2.3
Fixed In 4.2.4
Disclosure date
2015-08-04