CVE-2017-6103 Anyvar Project CVE debrief

Who should care

WordPress site operators running AnyVar v0.1.1, security teams responsible for plugin inventory and web application hardening, and maintainers or integrators who rely on AnyVar in production sites.

Technical summary

NVD lists CVE-2017-6103 as a persistent XSS issue in anyvar_project:anyvar version 0.1.1 for WordPress. The official NVD record maps it to CWE-79 and assigns CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, which indicates remote exploitation without privileges but with user interaction required. Because the flaw is persistent, malicious script content can be stored and later rendered to other users, making it important to treat any affected content or plugin instance as potentially unsafe until verified.

Defensive priority

Medium

Recommended defensive actions

• Identify whether AnyVar v0.1.1 is installed on any WordPress instance and remove or disable it if it is not actively needed.
• Check official vendor or project sources for a fixed release or replacement before continuing to use the plugin.
• Review pages, posts, and plugin-managed content for unexpected or malicious script-like input and clean affected records.
• Apply standard browser-side and application-side hardening for XSS risk, including output sanitization and least-privilege admin access controls where you maintain the codebase.
• Use the NVD and referenced advisories to track the issue status and confirm whether your deployed version is the vulnerable 0.1.1 release.

Evidence notes

The NVD record identifies the affected CPE as cpe:2.3:a:anyvar_project:anyvar:0.1.1:*:*:*:*:wordpress:*:* and lists CWE-79 as the weakness. The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Referenced third-party advisories include SecurityFocus BID 96532 and VapiLabs advisory v=177. No exploit steps or patch details beyond the supplied corpus are included here.

Official resources