CVE-2016-7168
Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.
We have discovered 488,669 live websites that are affected by CVE-2016-7168.
Affected Software
| Product |  WordPress |
| Category | Content Management System |
| Vulnerable Domains | 488,669 live websites (5.30% of WordPress install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 555 versions ( 59.61% of all versions) |
Details
- Published - Jan 5, 2017
- Updated - Aug 6, 2024
CVE References
CVE-2016-7168 usage by Country
 United States | 82,030 websites |
 Italy | 72,994 websites |
 Germany | 33,890 websites |
 Australia | 28,525 websites |
 Japan | 26,288 websites |
 GB | 24,577 websites |
 France | 21,308 websites |
 Russia | 20,421 websites |
 Poland | 18,390 websites |
 Netherlands | 17,369 websites |
CVE-2016-7168 usage by TLD
| .com | 166,195 websites |
| .it | 48,430 websites |
| .com.au | 20,216 websites |
| .ru | 17,953 websites |
| .org | 16,372 websites |
| .de | 15,858 websites |
| .net | 14,936 websites |
| .co.uk | 14,804 websites |
| .pl | 13,289 websites |
| .nl | 11,533 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2016-7168
Top websites that are affected by CVE-2016-7168. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.com | United States | *,*** | |
| ****.***********.de | Germany | *,*** | |
| *************.com | United States | *,*** | |
| ************.org | United States | *,*** | |
| ********.eu |  Austria | *,*** | |
| ********************.ru | Russia | *,*** | |
| *******.**.ca |  Canada | *,*** | |
| **********.com | United States | **,*** | |
| **************.********.com | United States | **,*** | |
| ***********.com | Italy | **,*** |
FAQ
A total of 488,669 websites have been identified as vulnerable to CVE-2016-7168, discovered through global website indexing conducted by WebTechSurvey.
WordPress is susceptible to CVE-2016-7168 vulnerability.
WordPress versions before 4.6.1 are vulnerable to CVE-2016-7168.
Version 4.6.1 of WordPress addresses the CVE-2016-7168 security vulnerability.
References
- https://github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0
- https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html
- https://wpvulndb.com/vulnerabilities/8615
- http://www.openwall.com/lists/oss-security/2016/09/08/24
- http://www.securityfocus.com/bid/92841
- https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/
- https://codex.wordpress.org/Version_4.6.1
- http://www.debian.org/security/2016/dsa-3681
- http://www.openwall.com/lists/oss-security/2016/09/08/19