漏洞编号：CVE-2016-5832 WordPress4.5.3多个安全漏洞

WordPress is an open source blogging tool and content management system based on PHP and MySQL. It has many features including a plug-in architecture and a template system.

WordPress versions prior to 4.5.3 contain the following vulnerabilities:
CVE-2016-5832: The customizer allows remote attackers to bypass intended redirection restrictions via unspecified vectors.
CVE-2016-5833: Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834.
CVE-2016-5834: Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833.
CVE-2016-5835: WordPress allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php.
CVE-2016-5836: The oEmbed protocol implementation in WordPress allows remote attackers to cause a denial of service via unspecified vectors.
CVE-2016-5837: WordPress allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors.
CVE-2016-5838: WordPress allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie.
CVE-2016-5839: WordPress allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors.
CVE-2016-6896: Directory traversal vulnerability in the wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php allows remote authenticated users to cause a denial of service or read certain text files via a .. (dot dot) in the plugin parameter to wp-admin/admin-ajax.php, as demonstrated by /dev/random read operations that deplete the entropy pool.

Affected Versions:
WordPress prior to 4.5.3

QID Detection Logic:
This QID depends on BlindElephant engine to detect the version of the WordPress installation as active attacks could potentially harm live installations.

Depending on the vulnerability being exploited, a remote attacker could inject arbitrary code, conduct cross-site scripting attacks, obtain sensitive information, bypass security restrictions or cause a denial-of-service vulnerability on the targeted system.

Customers are advised to install WordPress 4.5.3 or later versions to remediate the vulnerabilities.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

WordPress 4.5.3 or later