Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2017-17091

wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string.

See the

CVE page on Mitre.org for more details.

References

MISC: https://codex.wordpres...
MISC: https://github.com/Wor...
MISC: https://wordpress.org/...
MISC: https://wpvulndb.com/v...
BID: 102024
DEBIAN: DSA-4090
MLIST: [debian-lts-announce] ...

Launchpad.net

CVE 2017-17091

Related bugs

References