PatchSiren cyber security CVE debrief

CVE-2017-5489 Wordpress CVE debrief

CVE-2017-5489 is a high-severity Cross-Site Request Forgery issue in WordPress versions before 4.7.1. The published record describes remote attackers potentially hijacking a victim’s authentication through vectors involving a Flash file upload. The NVD entry maps the issue to CWE-352 and a network-reachable, user-interaction-required attack surface, with vendor references pointing to the WordPress 4.7.1 security release as the fix.

Vendor: Wordpress
Product: CVE-2017-5489
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-15
Original CVE updated: 2026-05-13
Advisory published: 2017-01-15
Advisory updated: 2026-05-13

Who should care

WordPress site owners, administrators, and security teams running WordPress 4.7 or earlier should prioritize this issue, especially where upload-related workflows or legacy Flash-based components are still in use. Any environment that exposes authenticated WordPress actions to browser-based requests should treat CSRF protections as a core control.

Technical summary

The vulnerable scope in the NVD CPE criteria is WordPress versions through 4.7. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates a remote attack that does not require privileges but does require victim interaction. The weakness is classified as CWE-352 (CSRF). The referenced WordPress 4.7.1 release notes and security announcement indicate that 4.7.1 is the corrective release.

Defensive priority

High. The issue is publicly disclosed, network-reachable, and capable of high confidentiality, integrity, and availability impact if successfully abused. Even though user interaction is required, CSRF flaws can be practical in real-world web sessions, so patching and session-hardening should be prioritized.

Recommended defensive actions

Upgrade WordPress to 4.7.1 or later, or to a currently supported release.
Review authenticated actions that rely on browser requests and confirm CSRF protections are enforced consistently.
Verify that sensitive WordPress actions require valid anti-CSRF tokens and appropriate origin/referrer validation where applicable.
Reduce exposure from legacy upload paths or plugins/themes that still depend on outdated Flash-era workflows.
Audit administrative accounts and recent activity for suspicious changes if the vulnerable version was exposed.
Use official WordPress release notes and downstream advisories to confirm remediation steps for your deployment.

Evidence notes

This debrief is based on the supplied NVD record and its listed references. The description explicitly identifies a CSRF vulnerability in WordPress before 4.7.1 involving a Flash file upload and cites CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H with CWE-352. The vendor references in the record include the WordPress 4.7.1 security and maintenance release and version notes, which support the corrective version guidance. Downstream advisories and third-party references are present in the NVD metadata, but no unsupported details have been inferred beyond the supplied corpus.

Official resources

CVE-2017-5489 CVE record
CVE.org
CVE-2017-5489 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
Mitigation or vendor reference
[email protected] - Vendor Advisory
Source reference
[email protected]

Publicly disclosed on 2017-01-15 per the supplied CVE publication timestamp. The supplied references point to WordPress 4.7.1 security materials as the remediation release.