Debian Long Term Support / LTS Security Information / 2021 / Security Information -- DLA-2630-1 wordpress

Debian Security Advisory

DLA-2630-1 wordpress -- LTS security update

Date Reported:

21 Apr 2021

Affected Packages:

wordpress

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 987065.
In Mitre's CVE dictionary: CVE-2021-29447, CVE-2021-29450.

More information:

• CVE-2021-29447

  Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack.

• CVE-2021-29450

  Wordpress is an open source CMS. One of the blocks in the WordPress editor can be exploited in a way that exposes password-protected posts and pages. This requires at least contributor privileges.

For Debian 9 stretch, these problems have been fixed in version 4.7.20+dfsg-1+deb9u1.

We recommend that you upgrade your wordpress packages.

For the detailed security status of wordpress please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wordpress

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS