High severity7.5NVD Advisory· Published Jan 15, 2017· Updated May 13, 2026

CVE-2017-5493

Description

wp-includes/ms-functions.php in the Multisite WordPress API in WordPress before 4.7.1 does not properly choose random numbers for keys, which makes it easier for remote attackers to bypass intended access restrictions via a crafted (1) site signup or (2) user signup.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4nvdPatch
www.openwall.com/lists/oss-security/2017/01/14/6nvdMailing ListThird Party Advisory
codex.wordpress.org/Version_4.7.1nvdRelease NotesVendor Advisory
wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/nvdVendor Advisory
www.debian.org/security/2017/dsa-3779nvd
www.securityfocus.com/bid/95401nvd
www.securitytracker.com/id/1037591nvd
wpvulndb.com/vulnerabilities/8721nvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000