NVD Vulnerability Detail

CVE-2015-5714

Summary	Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags.
Publication Date	May 22, 2016, 10:59 a.m.
Registration Date	Jan. 26, 2021, 2:53 p.m.
Last Update	Nov. 21, 2024, 11:33 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:wordpress:wordpress::::::::			4.3.0

Related information, measures and tools

No	URL	タグ
1	http://www.debian.org/security/2015/dsa-3375
2	http://www.debian.org/security/2015/dsa-3375
3	http://www.debian.org/security/2015/dsa-3383
4	http://www.debian.org/security/2015/dsa-3383
5	http://www.securityfocus.com/bid/76745
6	http://www.securityfocus.com/bid/76745
7	http://www.securitytracker.com/id/1033979
8	http://www.securitytracker.com/id/1033979
9	https://codex.wordpress.org/Version_4.3.1	Patch
10	https://codex.wordpress.org/Version_4.3.1	Patch
11	https://github.com/WordPress/WordPress/commit/f72b21af23da6b6d54208e5c1d65ececdaa109c8
12	https://github.com/WordPress/WordPress/commit/f72b21af23da6b6d54208e5c1d65ececdaa109c8
13	https://security-tracker.debian.org/tracker/CVE-2015-5714
14	https://security-tracker.debian.org/tracker/CVE-2015-5714
15	https://wordpress.org/news/2015/09/wordpress-4-3-1/	Patch Vendor Advisory
16	https://wordpress.org/news/2015/09/wordpress-4-3-1/	Patch Vendor Advisory
17	https://wpvulndb.com/vulnerabilities/8186
18	https://wpvulndb.com/vulnerabilities/8186

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

WordPress におけるクロスサイトスクリプティングの脆弱性

Title	WordPress におけるクロスサイトスクリプティングの脆弱性
Summary	WordPress には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	第三者により、ショートコードタグの処理中に、閉じていない HTML 要素を誤って処理されることで、任意の Web スクリプトまたは HTML を挿入される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 15, 2015, midnight
Registration Date	May 24, 2016, 2:51 p.m.
Last Update	May 24, 2016, 2:51 p.m.

Affected System

WordPress.org

WordPress 4.3.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2015-5714	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5714
National Vulnerability Database (NVD)
2	CVE-2015-5714	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5714
Security Bug Tracker
3	CVE-2015-5714	https://security-tracker.debian.org/tracker/CVE-2015-5714

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
GitHub
1	Shortcodes: don't allow unclosed HTML elements in attributes	https://github.com/WordPress/WordPress/commit/f72b21af23da6b6d54208e5c1d65ececdaa109c8
WordPress Blog
2	WordPress 4.3.1 Security and Maintenance Release	https://wordpress.org/news/2015/09/wordpress-4-3-1/
WordPress Codex
3	Version 4.3.1	https://codex.wordpress.org/Version_4.3.1

Change Log

No	Changed Details	Date of change
0	[2016年05月24日] 掲載	Feb. 17, 2018, 10:37 a.m.