Debian Security Advisory
DLA-294-1 wordpress -- LTS security update
- Date Reported:
- 19 Aug 2015
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2015-2213, CVE-2015-5622, CVE-2015-5731, CVE-2015-5732, CVE-2015-5734.
- More information:
Several vulnerabilities have been fixed in Wordpress, the popular blogging engine.
SQL Injection allowed a remote attacker to compromise the site.
The robustness of the shortcodes HTML tags filter has been improved. The parsing is a bit more strict, which may affect your installation. This is the corrected version of the patch that needed to be reverted in DSA 3328-2.
An attacker could lock a post that was being edited.
Cross site scripting in a widget title allows an attacker to steal sensitive information.
Fix some broken links in the legacy theme preview.
The issues were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandí of the WordPress security team, Netanel Rubin of Check Point, Ivan Grigorov, Johannes Schmitt of Scrutinizer and Mohamed A. Baset.
We recommend that you upgrade your wordpress packages.