Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-294-1 wordpress

Debian Security Advisory

DLA-294-1 wordpress -- LTS security update

Date Reported:

19 Aug 2015

Affected Packages:

wordpress

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-2213, CVE-2015-5622, CVE-2015-5731, CVE-2015-5732, CVE-2015-5734.

More information:

Several vulnerabilities have been fixed in Wordpress, the popular blogging engine.

• CVE-2015-2213

  SQL Injection allowed a remote attacker to compromise the site.

• CVE-2015-5622

  The robustness of the shortcodes HTML tags filter has been improved. The parsing is a bit more strict, which may affect your installation. This is the corrected version of the patch that needed to be reverted in DSA 3328-2.

• CVE-2015-5731

  An attacker could lock a post that was being edited.

• CVE-2015-5732

  Cross site scripting in a widget title allows an attacker to steal sensitive information.

• CVE-2015-5734

  Fix some broken links in the legacy theme preview.

The issues were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, Ivan Grigorov, Johannes Schmitt of Scrutinizer and Mohamed A. Baset.

We recommend that you upgrade your wordpress packages.