CVE-2017-5610 Debian CVE debrief

Who should care

WordPress site operators running 4.7.1 or earlier, managed hosting providers, and Debian-based administrators tracking WordPress security updates. Security teams should also care if Press This remains enabled or if taxonomy data exposure matters in their environment.

Technical summary

The vulnerable code path is in wp-admin/includes/class-wp-press-this.php. In affected releases, Press This exposed a taxonomy-assignment interface without correctly enforcing visibility restrictions, which could let an unauthenticated remote attacker read taxonomy terms. The NVD entry maps the weakness to CWE-200 and lists WordPress versions through 4.7.1 as affected; it also includes Debian Linux 8.0 and 9.0 CPE criteria in its affected-platform mapping. The upstream fix is linked to the WordPress 4.7.2 security release and commit 21264a31e0849e6ff793a06a17de877dd88ea454.

Defensive priority

Medium. The impact is limited to information disclosure, but the attack requires no authentication or user interaction and is reachable over the network.

Recommended defensive actions

• Upgrade WordPress to 4.7.2 or later.
• If you rely on Debian-packaged WordPress, follow Debian security advisory DSA-3779 and apply the vendor update path used in your environment.
• Verify that any Press This-related administrative interfaces are not exposed to unauthorized users after updating.
• Use the WordPress 4.7.2 release notes and the upstream patch commit as remediation references when validating change control.

Evidence notes

All claims above are supported by the supplied NVD record and its referenced WordPress/Debian advisories. The source metadata identifies WordPress versions through 4.7.1 as vulnerable, cites CWE-200, and includes the WordPress 4.7.2 security release plus commit 21264a31e0849e6ff793a06a17de877dd88ea454 as patch references. Debian DSA-3779 is listed as a third-party advisory reference.

Official resources