CVE-2014-9031: XSS
First published: Tue Nov 25 2014(Updated: )
Cross-site scripting (XSS) vulnerability in the wptexturize function in WordPress before 3.7.5, 3.8.x before 3.8.5, and 3.9.x before 3.9.3 allows remote attackers to inject arbitrary web script or HTML via crafted use of shortcode brackets in a text field, as demonstrated by a comment or a post.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WordPress | <=3.7.4 | |
| WordPress | =3.8 | |
| WordPress | =3.8.1 | |
| WordPress | =3.8.2 | |
| WordPress | =3.8.3 | |
| WordPress | =3.8.4 | |
| WordPress | =3.9 | |
| WordPress | =3.9.1 | |
| WordPress | =3.9.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://advisories.mageia.org/MGASA-2014-0493.html
- http://klikki.fi/adv/wordpress.html
- http://openwall.com/lists/oss-security/2014/11/25/12
- http://seclists.org/fulldisclosure/2014/Nov/62
- http://www.debian.org/security/2014/dsa-3085
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:233
- http://www.securityfocus.com/bid/71237
- http://www.securitytracker.com/id/1031243
- https://wordpress.org/news/2014/11/wordpress-4-0-1/
Frequently Asked Questions
What is the severity of CVE-2014-9031?
CVE-2014-9031 is classified as a medium-severity Cross-site Scripting (XSS) vulnerability.
How do I fix CVE-2014-9031?
To fix CVE-2014-9031, update WordPress to version 3.7.5, 3.8.5, 3.9.3, or later.
What versions of WordPress are affected by CVE-2014-9031?
CVE-2014-9031 affects WordPress versions prior to 3.7.5, 3.8.x before 3.8.5, and 3.9.x before 3.9.3.
What does CVE-2014-9031 allow attackers to do?
CVE-2014-9031 allows remote attackers to inject arbitrary web scripts or HTML via manipulated shortcode brackets.
Is my website at risk if using an affected version of WordPress for CVE-2014-9031?
Yes, if you are using an affected version of WordPress, your website is at risk of XSS attacks.
- agent/type
- agent/softwarecombine
- agent/author
- agent/references
- agent/severity
- agent/remedy
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/wordpress
- canonical/wordpress
- version/wordpress/3.7.4
- version/wordpress/3.8
- version/wordpress/3.8.1
- version/wordpress/3.8.2
- version/wordpress/3.8.3
- version/wordpress/3.8.4
- version/wordpress/3.9
- version/wordpress/3.9.1
- version/wordpress/3.9.2