CVE-2016-7168
Description
Cross-site scripting (XSS) vulnerability in the media_handle_upload function in wp-admin/includes/media.php in WordPress before 4.6.1 might allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file that has a crafted filename.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting in WordPress media upload via crafted image filenames, fixed in version 4.6.1.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the media_handle_upload function in wp-admin/includes/media.php in WordPress versions before 4.6.1 [1][2][3][4]. The function does not properly sanitize image filenames, allowing injection of arbitrary HTML and JavaScript when an administrator uploads an image with a crafted filename [1]. This affects WordPress 4.6 and all earlier versions [4].
Exploitation
An attacker can create a specially crafted image filename containing malicious script tags [1]. To exploit, the attacker must trick a WordPress administrator with the unfiltered_html capability into uploading the malicious image [1][2]. The attacker can lure the admin through social engineering or by spreading a popular image with a crafted name [1]. No other authentication or network position is required beyond the admin's action [1].
Impact
Upon upload, the injected script executes in the context of the administrator's browser session, leading to persistent XSS [1]. The attacker can perform any action the admin can, including creating new administrator accounts, defacing the site, stealing sensitive data, or installing backdoors [1]. The vulnerability is classified as stored XSS with high impact on confidentiality, integrity, and availability [1][2].
Mitigation
The vulnerability is fixed in WordPress version 4.6.1, released on September 7, 2016 [3][4]. All users should update immediately via the Dashboard or by downloading the latest release [4]. No workaround is available; updating is the only complete mitigation [3][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*range: <=4.6
- (no CPE)range: <4.6.1
Patches
1c9e60dab1766Media: Sanitize upload filename.
2 files changed · +2 −2
wp-admin/includes/media.php+1 −1 modified@@ -289,7 +289,7 @@ function media_handle_upload($file_id, $post_id, $post_data = array(), $override $url = $file['url']; $type = $file['type']; $file = $file['file']; - $title = $basename; + $title = sanitize_title( $basename ); $content = ''; $excerpt = '';
wp-includes/version.php+1 −1 modified@@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.7-alpha-38536'; +$wp_version = '4.7-alpha-38538'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
Vulnerability mechanics
Root cause
"Missing sanitization of uploaded image filenames before using them as the image title in attachment pages."
Attack vector
An attacker crafts an image file whose filename contains a Cross-Site Scripting payload (e.g., `cengizhansahinsumofpwn<img src=a onerror=alert(document.cookie)>.jpg`). The attacker then uses social engineering to trick a WordPress administrator into uploading this file via the Media Upload functionality [ref_id=1]. Because the filename is used unsanitized as the image title on public attachment pages, the injected script executes in the browser of any visitor viewing that attachment page [CWE-79]. The attack requires the admin to be on an operating system (e.g., macOS or Linux) that allows such special characters in filenames [ref_id=1].
Affected code
The vulnerable code is in `wp-admin/includes/media.php` within the `media_handle_upload` function. The file name (basename) of an uploaded image was used directly as the image title without sanitization, allowing HTML/JavaScript to be stored and later rendered on attachment pages.
What the fix does
The patch adds `sanitize_title()` around the `$basename` variable when assigning it to `$title` in `media_handle_upload` [patch_id=1995593]. This function strips or encodes HTML tags and special characters from the string, preventing any embedded JavaScript from being stored as the image title. The change ensures that even if an admin uploads a file with a maliciously crafted name, the resulting title on attachment pages will be a safe, sanitized string rather than raw HTML [ref_id=3].
Preconditions
- configThe victim (WordPress admin) must use an operating system that allows special characters in filenames, such as macOS or Linux
- inputThe admin must be tricked via social engineering into uploading the malicious image file
- networkThe attacker must know or discover the URL of the uploaded attachment page
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- codex.wordpress.org/Version_4.6.1nvdPatch
- github.com/WordPress/WordPress/commit/c9e60dab176635d4bfaaf431c0ea891e4726d6e0nvdPatch
- wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/nvdPatchVendor Advisory
- www.openwall.com/lists/oss-security/2016/09/08/19nvdThird Party Advisory
- www.openwall.com/lists/oss-security/2016/09/08/24nvdThird Party Advisory
- www.securityfocus.com/bid/92841nvdThird Party AdvisoryVDB Entry
- sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.htmlnvdThird Party Advisory
- www.debian.org/security/2016/dsa-3681nvd
- wpvulndb.com/vulnerabilities/8615nvd
News mentions
0No linked articles in our index yet.