CVE-2017-5492 Wordpress CVE debrief

Who should care

WordPress site owners, administrators, and anyone managing wp-admin access on installations running WordPress 4.7 or earlier should treat this as relevant. It matters most where privileged users can be induced to follow attacker-controlled links or otherwise load forged requests while logged in.

Technical summary

NVD classifies the issue as CWE-352 and lists affected WordPress versions through 4.7. The vulnerable path involves the widget-editing accessibility-mode flow in wp-admin/includes/class-wp-screen.php and wp-admin/widgets.php. Because the request is processed in an authenticated admin context, the attack depends on user interaction (CVSS vector includes UI:R) but can still impact confidentiality, integrity, and availability at high severity.

Defensive priority

High

Recommended defensive actions

• Upgrade WordPress to 4.7.1 or later as the primary remediation.
• Verify all sites and test environments are not running WordPress 4.7 or earlier.
• Review any admin-side customizations or automation that interact with widget management for proper CSRF protections.
• Limit access to privileged WordPress accounts to only users who need widget administration.
• Monitor for unexpected widget configuration changes in administrative activity logs after upgrading.

Evidence notes

The NVD record identifies the weakness as CWE-352 and lists vulnerable WordPress versions ending at 4.7 with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. WordPress release notes for 4.7.1 and the linked core commit show the vendor fix, while the WordPress security announcement confirms the remediation path.

Official resources