PatchSiren cyber security CVE debrief

CVE-2017-5493 Wordpress CVE debrief

CVE-2017-5493 is a WordPress Multisite vulnerability in which key generation in wp-includes/ms-functions.php did not use sufficiently random numbers. In affected WordPress versions before 4.7.1, a remote attacker could abuse crafted site or user signup flows to bypass intended access restrictions. WordPress addressed the issue in the 4.7.1 security and maintenance release.

Vendor: Wordpress
Product: CVE-2017-5493
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-15
Original CVE updated: 2026-05-13
Advisory published: 2017-01-15
Advisory updated: 2026-05-13

Who should care

Organizations running WordPress Multisite, especially deployments that allow site signups or user signups. Administrators of hosted WordPress platforms and anyone relying on multisite registration controls should prioritize review and patching.

Technical summary

NVD identifies the flaw as CWE-338 (use of cryptographically weak or insufficient randomness). The vulnerable code path is in wp-includes/ms-functions.php, where keys were not chosen with proper randomness. Because the attack path is network-reachable and requires no privileges or user interaction, a remote attacker could attempt to bypass access restrictions through crafted signup requests. The affected version range in the supplied record is WordPress up to and including 4.7, with the fix delivered in 4.7.1.

Defensive priority

High. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating a remotely reachable, low-complexity issue that can materially affect integrity on exposed Multisite installs.

Recommended defensive actions

Upgrade WordPress to 4.7.1 or later on all affected Multisite installations.
Confirm whether site signup or user signup is enabled, and restrict it if the business does not require it.
Review any custom code or plugins that interact with Multisite registration and key generation paths.
Verify vendor or distribution packages have been updated if WordPress is managed through a packaged Linux distribution.
Check for unexpected signup activity around the Multisite registration flow after patching.

Evidence notes

The supplied NVD record describes the issue as improper random number selection for keys in wp-includes/ms-functions.php in the Multisite WordPress API, affecting WordPress before 4.7.1. The same record links to the WordPress 4.7.1 release notes and the corresponding patch commit, supporting the fix boundary. NVD also classifies the weakness as CWE-338 and rates the issue with a network-exploitable, no-authentication CVSS v3.0 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. The supplied record does not indicate ransomware linkage or KEV listing.

Official resources

CVE-2017-5493 CVE record
CVE.org
CVE-2017-5493 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Release Notes, Vendor Advisory
Mitigation or vendor reference
[email protected] - Patch
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed in January 2017, with the supplied CVE publication timestamp of 2017-01-15 and vendor remediation information pointing to WordPress 4.7.1.