[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"all-banners":3,"SkipToContent_34xgpJIRRkpiT6ls6jE4NHf7VpvQCQBEwi69exi4oT0":4,"FooterNav_JsYsxvLufb1W12aeknKZ89on0MD0bNDTiB5EYxyxmU":11,"FooterSocial_u16tCafBUeGMoDrdLfTINytP2JB5msc6iB3VDUutAoU":17,"vulnerability-7791":24},[],["Island",5],{"key":6,"params":7,"result":9},"SkipToContent_34xgpJIRRkpiT6ls6jE4NHf7VpvQCQBEwi69exi4oT0",{"props":8},"{}",{"head":10},{},["Island",12],{"key":13,"params":14,"result":15},"FooterNav_JsYsxvLufb1W12aeknKZ89on0MD0bNDTiB5EYxyxmU",{"props":8},{"head":16},{},["Island",18],{"key":19,"params":20,"result":22},"FooterSocial_u16tCafBUeGMoDrdLfTINytP2JB5msc6iB3VDUutAoU",{"props":21},"{\"text-color\":\"gray\"}",{"head":23},{},{"id":25,"detectable_with":26,"vuln_details":33,"vuln_id":51,"name":52,"published":53,"updated":34},7791,{"tool":27,"engine":30},{"id":28,"name":29},1,"Network Scanner",{"id":31,"name":32},3,"OpenVAS",{"id":25,"codename":34,"description":34,"severity":35,"risk_description":36,"public_description":37,"public_recommendation":38,"recommendation":34,"references":39,"cvssv3":42,"epss_score":43,"epss_percentile":44,"cve":45,"in_cisa_catalog":50,"date":34,"software_type":34,"vendor":34,"product":34,"ptt_exploit_capabilities":34},null,"medium","WordPress before 4.9.1 is prone to the following security vulnerabilities: - wp-admin/user-new.php sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string. (CVE-2017-17091) - wp-includes/functions.php does not require the unfiltered_html capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file. (CVE-2017-17092) - wp-includes/general-template.php does not properly restrict the lang attribute of an HTML element, which might allow attackers to conduct XSS attacks via the language setting of a site. (CVE-2017-17093) - wp-includes/feed.php does not properly restrict enclosures in RSS and Atom fields, which might allow attackers to conduct XSS attacks via a crafted URL. (CVE-2017-17094) An attacker may leverage these issues to bypass access restrictions or conduct XSS via specific vectors.","WordPress prior to 4.9.1 is prone to multiple vulnerabilities.","Update to WordPress 4.9.1 or later.",[40,41],"https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/","https://codex.wordpress.org/Version_4.9.1",5.4,0.06615,0.91146,[46,47,48,49],"CVE-2017-17091","CVE-2017-17092","CVE-2017-17093","CVE-2017-17094",false,"NETSCAN-OPENVAS-1.3.6.1.4.1.25623.1.0.112147","WordPress \u003C 4.9.1 Multiple Vulnerabilities - Windows","2018-01-02T00:00:00Z"]