Debian Security Advisory

DLA-294-1 wordpress -- LTS security update

Date Reported:
19 Aug 2015
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2015-2213, CVE-2015-5622, CVE-2015-5731, CVE-2015-5732, CVE-2015-5734.
More information:

Several vulnerabilities have been fixed in Wordpress, the popular blogging engine.

  • CVE-2015-2213

    SQL Injection allowed a remote attacker to compromise the site.

  • CVE-2015-5622

    The robustness of the shortcodes HTML tags filter has been improved. The parsing is a bit more strict, which may affect your installation. This is the corrected version of the patch that needed to be reverted in DSA 3328-2.

  • CVE-2015-5731

    An attacker could lock a post that was being edited.

  • CVE-2015-5732

    Cross site scripting in a widget title allows an attacker to steal sensitive information.

  • CVE-2015-5734

    Fix some broken links in the legacy theme preview.

The issues were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, Ivan Grigorov, Johannes Schmitt of Scrutinizer and Mohamed A. Baset.

We recommend that you upgrade your wordpress packages.