CVE-2017-5611 Oracle CVE debrief

Who should care

WordPress site operators, managed hosting providers, plugin and theme developers, and security teams responsible for inventories that include WordPress 4.7.1 or earlier should prioritize this. It is also worth validating any environments matching the additional NVD-mapped Debian and Oracle Data Integrator CPEs in the source corpus.

Technical summary

The vulnerability is a SQL injection in WordPress WP_Query, specifically in wp-includes/class-wp-query.php, for WordPress versions before 4.7.2. According to the CVE description, the flaw is reachable when an affected plugin or theme mishandles a crafted post type name, allowing a remote attacker to influence SQL and execute arbitrary SQL commands. NVD classifies the weakness as CWE-89 and rates the issue CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Defensive priority

Immediate

Recommended defensive actions

• Upgrade WordPress to 4.7.2 or later using the documented security release.
• Audit installed plugins and themes for custom post type handling, especially code that builds queries from user-influenced values.
• Remove or replace any plugin or theme that mishandles post type names or has not been maintained.
• Review application and database logs for unusual query patterns around WordPress query handling.
• If you manage Debian or Oracle Data Integrator assets listed by NVD for this CVE, confirm whether the affected component is actually present and patched in your environment.

Evidence notes

The CVE description states that WordPress before 4.7.2 is affected and that exploitation requires an affected plugin or theme mishandling a crafted post type name. NVD lists CWE-89 and references the WordPress 4.7.2 security release, the WordPress patch commit, and a Debian advisory. The source corpus also includes additional NVD CPE mappings for Debian 8/9 and Oracle Data Integrator 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0, so scope should be validated against actual installed products.

Official resources