Cross-Site Scripting Vulnerability in WordPress by Automattic
CVE-2015-3440

Currently unrated

Key Information:

Vendor

Wordpress
Status
Debian Linux
Vendor
CVE Published:
3 August 2015

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC๐ŸŸฃ EPSS 17%

What is CVE-2015-3440?

A Cross-Site Scripting (XSS) vulnerability existed in WordPress versions prior to 4.2.1, allowing remote attackers to inject arbitrary web scripts or HTML into comments. This vulnerability arose due to improper storage of long comments, which are limited by the MySQL TEXT data type. When users interact with infected comments, they may unknowingly execute malicious scripts, potentially compromising their accounts and exposing sensitive information.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2015-3440 - Proof of Concept

References

https://www.exploit-db.com/exploits/36844/
exploitx_refsource_EXPLOIT-DB
http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA
http://codex.wordpress.org/Version_4.2.1
x_refsource_CONFIRM

EPSS Score

17% chance of being exploited in the next 30 days.

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.