CVE-2017-6814
In WordPress before 4.7.3, there is authenticated Cross-Site Scripting (XSS) via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp-includes/js/mediaelement/wp-playlist.js.
We have discovered 448,247 live websites that are affected by CVE-2017-6814.
Affected Software
| Product |  WordPress |
| Category | Content Management System |
| Vulnerable Domains | 448,247 live websites (5.46% of WordPress install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 769 versions ( 58% of all versions) |
Details
- Published - Mar 12, 2017
- Updated - Aug 5, 2024
CVE References
Website Distribution by Country
Number of websites using CVE-2017-6814 United States | 75,777 websites |
 Italy | 69,497 websites |
 Germany | 32,915 websites |
 Japan | 24,795 websites |
 GB | 23,297 websites |
 Russia | 22,541 websites |
 Poland | 21,114 websites |
 France | 19,131 websites |
 Iran | 13,033 websites |
 Netherlands | 12,715 websites |
Website Distribution by TLD
Number of websites using CVE-2017-6814| .com | 156,993 websites |
| .it | 45,590 websites |
| .ru | 18,721 websites |
| .org | 16,162 websites |
| .de | 15,911 websites |
| .pl | 15,162 websites |
| .net | 13,137 websites |
| .co.uk | 12,579 websites |
| .nl | 8,934 websites |
| .fr | 7,670 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2017-6814
Top websites that are affected by CVE-2017-6814. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *****.com | United States | *,*** | |
| ************.org | United States | *,*** | |
| ******.com | France | *,*** | |
| ***********.eu |  Cyprus | *,*** | |
| *******.org | United States | *,*** | |
| *********.io | Netherlands | *,*** | |
| ***********.com | United States | *,*** | |
| ********.com | United States | *,*** | |
| ********.org | United States | *,*** | |
| ********.eu |  Austria | *,*** |
References
- https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7
- http://www.securitytracker.com/id/1037959
- http://www.debian.org/security/2017/dsa-3815
- https://wpvulndb.com/vulnerabilities/8765
- http://www.securityfocus.com/bid/96601
- https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html
- https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/
- http://openwall.com/lists/oss-security/2017/03/06/8
- https://codex.wordpress.org/Version_4.7.3