CVE-2017-5493

7.5 HIGH
Published: January 15, 2017 Modified: May 13, 2026
View on NVD

Description

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
http://www.debian.org/security/2017/dsa-3779
Source: cve@mitre.org
http://www.openwall.com/lists/oss-security/2017/01/14/6
Source: cve@mitre.org
Mailing List Third Party Advisory
http://www.securityfocus.com/bid/95401
Source: cve@mitre.org
http://www.securitytracker.com/id/1037591
Source: cve@mitre.org
https://codex.wordpress.org/Version_4.7.1
Source: cve@mitre.org
Release Notes Vendor Advisory
https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
Source: cve@mitre.org
Patch
https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Source: cve@mitre.org
Vendor Advisory
https://wpvulndb.com/vulnerabilities/8721
Source: cve@mitre.org
http://www.debian.org/security/2017/dsa-3779
Source: af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2017/01/14/6
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory
http://www.securityfocus.com/bid/95401
Source: af854a3a-2127-422b-91ae-364da2661108
http://www.securitytracker.com/id/1037591
Source: af854a3a-2127-422b-91ae-364da2661108
https://codex.wordpress.org/Version_4.7.1
Source: af854a3a-2127-422b-91ae-364da2661108
Release Notes Vendor Advisory
https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
https://wpvulndb.com/vulnerabilities/8721
Source: af854a3a-2127-422b-91ae-364da2661108

16 reference(s) from NVD

Quick Stats

CVSS v3 Score
7.5 / 10.0
EPSS (Exploit Probability)
2.9%
85th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-338

Affected Vendors

wordpress

Related CVEs

CVE-2026-39955 9.8
CVE-2026-39948 N/A
CVE-2026-39938 9.8
CVE-2026-39900 N/A
CVE-2026-39899 N/A