CVE-2017-17091

wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string.

Published : 2017-12-02 06:29 Updated : 2019-10-03 00:03

6.5
CVSS Score More info
Score 6.5 / 10
6.5
Vendor Product Version URI
Wordpress Wordpress 4.9 cpe:/a:wordpress:wordpress:4.9
  1. Wordpress (1) Search CVE
    1. Wordpress (1) Search CVE
      1. 4.9

CWE

ID Name Description Links
CWE-330 Use of Insufficiently Random Values The software may use insufficiently random numbers or values in a security context that depends on unpredictable numbers. CVE

History of changes

Date Event
2019-10-03 00:03
2018-02-04 02:29
2018-01-18 18:18
2017-12-15 15:22
2017-12-08 02:29
2017-12-06 02:29
2017-12-02 06:29

New CVE