CVE-2017-5488 Wordpress CVE debrief

Who should care

WordPress site owners, administrators, and managed hosting teams running WordPress 4.7 or earlier. This matters most for environments where trusted administrators access wp-admin pages, because the vulnerability is triggered in an admin context and can expose sensitive sessions or actions to script injection.

Technical summary

The NVD record maps CVE-2017-5488 to CWE-79 and gives a CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The affected range is WordPress versions through 4.7, and the flaw is described as XSS via the name or version header of a plugin in wp-admin/update-core.php. The supplied WordPress 4.7.1 release notes and the linked patch commit are the authoritative fix references.

Defensive priority

Medium. The issue is pre-auth from the attacker’s perspective but requires user interaction and affects the admin interface, so it is most urgent where WordPress admin users are exposed to untrusted content or where older versions remain deployed.

Recommended defensive actions

• Upgrade WordPress to 4.7.1 or later as the primary remediation.
• Verify no sites remain on WordPress 4.7 or earlier, including staging and cloned environments.
• Review administrative access controls and limit wp-admin exposure where possible.
• Use strong authentication for administrator accounts and keep admin sessions protected.
• Validate that custom plugins or integrations do not rely on unsafe rendering of plugin metadata in admin pages.

Evidence notes

Supported by the supplied NVD record, which identifies CWE-79 and the affected version range through 4.7, and by the linked WordPress 4.7.1 release notes plus the WordPress patch commit. The public references in the corpus are dated 2017-01-14 and 2017-01-15, so those dates provide the disclosure context; the 2026 modified timestamp is only a database update and not the vulnerability date.

Official resources