Vulnerability Database

313,825

Total vulnerabilities in the database

CVE-2017-17091

wp-admin/user-new.php in WordPress before 4.9.1 sets the newbloguser key to a string that can be directly derived from the user ID, which allows remote attackers to bypass intended access restrictions by entering this string.

Published: Dec 2, 2017
Updated: Nov 9, 2025
CVE: CVE-2017-17091
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-330

Affected Software
References

Software	From	Fixed in
WordPress / wordpress	-	4.9.x

http://www.securityfocus.com/bid/102024
https://codex.wordpress.org/Version_4.9.1
https://github.com/WordPress/WordPress/commit/eaf1cfdc1fe0bdffabd8d879c591b864d833326c
https://lists.debian.org/debian-lts-announce/2017/12/msg00019.html
https://wordpress.org/news/2017/11/wordpress-4-9-1-security-and-maintenance-release/
https://wpvulndb.com/vulnerabilities/8969
https://www.debian.org/security/2018/dsa-4090

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo