Arch Linux Security Advisory ASA-201508-2 ========================================= Severity: High Date : 2015-08-07 CVE-ID : CVE-2015-2213 CVE-2015-5730 CVE-2015-5731 CVE-2015-5732 CVE-2015-5733 CVE-2015-5734 Package : wordpress Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package wordpress before version 4.2.4-1 is vulnerable to multiple issues, including XSS and SQL injection. Resolution ========== Upgrade to 4.2.4-1>. # pacman -Syu "wordpress>=4.2.4-1" The problem has been fixed upstream in version 4.2.4. Workaround ========== None. Description =========== - CVE-2015-2213: SQL injection in comments ID. - CVE-2015-5730: Timing attack in widgets. - CVE-2015-5731: Denial of service by locking a post from being edited. - CVE-2015-5732, CVE-2015-5733 CVE-2015-5734: XSS. Impact ====== A remote attacker could lock a post from being edited, or compromise a site running wordpress. References ========== https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-... https://codex.wordpress.org/Version_4.2.4 https://access.redhat.com/security/cve/CVE-2015-2213 https://access.redhat.com/security/cve/CVE-2015-5730 https://access.redhat.com/security/cve/CVE-2015-5731 https://access.redhat.com/security/cve/CVE-2015-5732 https://access.redhat.com/security/cve/CVE-2015-5733 https://access.redhat.com/security/cve/CVE-2015-5734