CVE-2017-5490 Wordpress CVE debrief

Who should care

WordPress site operators, administrators, managed hosting providers, and security teams responsible for theme installation and admin interface exposure should care, especially if any systems were running WordPress 4.7 or earlier.

Technical summary

The supplied NVD data describes a CWE-79 XSS weakness in WordPress theme-name fallback logic. The CVSS v3.0 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, low attack complexity, no privileges required, and user interaction needed. Impact is limited to confidentiality and integrity, with scope changed. WordPress 4.7.1 release notes and the linked patch commit indicate the issue was addressed in that release line.

Defensive priority

Medium. The flaw is publicly documented and fixed in WordPress 4.7.1, but the supplied data does not indicate known active exploitation or KEV listing.

Recommended defensive actions

• Upgrade WordPress to 4.7.1 or later immediately if any affected version is still in use.
• Review any workflows that install or display themes, especially where theme directory names may come from untrusted sources.
• Confirm the patch referenced by the WordPress commit and 4.7.1 release notes is present in your deployed codebase.
• Limit administrative access to trusted users and keep browser-based admin sessions protected with strong authentication and session hygiene.
• Audit theme packages and custom deployments for unusual directory names or other content that could be rendered in admin interfaces.

Evidence notes

This debrief is based only on the supplied NVD record and linked official/vendor references. The core facts come from the NVD description, CVSS vector, CWE-79 classification, and affected version range ending at WordPress 4.7. The WordPress 4.7.1 release notes and linked GitHub patch commit support that the issue was corrected in 4.7.1. No exploitation or KEV designation is asserted because none is present in the supplied corpus.

Official resources