[arch-security] [ASA-201508-2] wordpress: multiple issues
Remi Gacogne
rgacogne at archlinux.org
Fri Aug 7 09:11:37 UTC 2015
Arch Linux Security Advisory ASA-201508-2
=========================================
Severity: High
Date : 2015-08-07
CVE-ID : CVE-2015-2213 CVE-2015-5730 CVE-2015-5731 CVE-2015-5732
CVE-2015-5733 CVE-2015-5734
Package : wordpress
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package wordpress before version 4.2.4-1 is vulnerable to multiple
issues, including XSS and SQL injection.
Resolution
==========
Upgrade to 4.2.4-1>.
# pacman -Syu "wordpress>=4.2.4-1"
The problem has been fixed upstream in version 4.2.4.
Workaround
==========
None.
Description
===========
- CVE-2015-2213:
SQL injection in comments ID.
- CVE-2015-5730:
Timing attack in widgets.
- CVE-2015-5731:
Denial of service by locking a post from being edited.
- CVE-2015-5732, CVE-2015-5733 CVE-2015-5734:
XSS.
Impact
======
A remote attacker could lock a post from being edited, or compromise a
site running wordpress.
References
==========
https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/
https://codex.wordpress.org/Version_4.2.4
https://access.redhat.com/security/cve/CVE-2015-2213
https://access.redhat.com/security/cve/CVE-2015-5730
https://access.redhat.com/security/cve/CVE-2015-5731
https://access.redhat.com/security/cve/CVE-2015-5732
https://access.redhat.com/security/cve/CVE-2015-5733
https://access.redhat.com/security/cve/CVE-2015-5734
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150807/fae9e164/attachment.asc>
More information about the arch-security
mailing list