Debian Long Term Support / LTS Security Information / 2019 / Security Information -- DLA-1673-1 wordpress

Debian Security Advisory

DLA-1673-1 wordpress -- LTS security update

Date Reported:

11 Feb 2019

Affected Packages:

wordpress

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 916403.
In Mitre's CVE dictionary: CVE-2018-20147, CVE-2018-20148, CVE-2018-20149, CVE-2018-20150, CVE-2018-20151, CVE-2018-20152, CVE-2018-20153.

More information:

• CVE-2018-20147

  Authors could modify metadata to bypass intended restrictions on deleting files.

• CVE-2018-20148

  Contributors could conduct PHP object injection attacks via crafted metadata in a wp.getMediaItem XMLRPC call. This is caused by mishandling of serialized data at phar:// URLs in the wp_get_attachment_thumb_file function in wp-includes/post.php.

• CVE-2018-20149

  When the Apache HTTP Server is used, authors could upload crafted files that bypass intended MIME type restrictions, leading to XSS, as demonstrated by a .jpg file without JPEG data.

• CVE-2018-20150

  Crafted URLs could trigger XSS for certain use cases involving plugins.

• CVE-2018-20151

  The user-activation page could be read by a search engine's web crawler if an unusual configuration were chosen. The search engine could then index and display a user's e-mail address and (rarely) the password that was generated by default.

• CVE-2018-20152

  Authors could bypass intended restrictions on post types via crafted input.

• CVE-2018-20153

  Contributors could modify new comments made by users with greater privileges, possibly causing XSS.

For Debian 8 Jessie, these problems have been fixed in version 4.1.25+dfsg-1+deb8u1.

We recommend that you upgrade your wordpress packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS