Debian Security Advisory
DLA-2630-1 wordpress -- LTS security update
- Date Reported:
- 21 Apr 2021
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 987065.
In Mitre's CVE dictionary: CVE-2021-29447, CVE-2021-29450.
- More information:
Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack.
Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges.
For Debian 9 stretch, these problems have been fixed in version 4.7.20+dfsg-1+deb9u1.
We recommend that you upgrade your wordpress packages.
For the detailed security status of wordpress please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wordpress
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS