Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 26 Apr 2015 13:30:00 +0200
From: Salvatore Bonaccorso <>
To: OSS Security Mailinglist <>
Cc: CVE Assignments MITRE <>
Subject: Possible CVE Request: Wordpress 4.1.2 security release


I have not seen a request for CVEs for the issues fixed in the recent
WordPress security release:

> WordPress 4.1.2 is now available. This is a critical security release
> for all previous versions and we strongly encourage you to update your
> sites immediately.
> WordPress versions 4.1.1 and earlier are affected by a critical cross-
> site scripting vulnerability, which could enable anonymous users to
> compromise a site. This was reported by Cedric Van Bockhaven and fixed
> by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress
> security team.
> We also fixed three other security issues:
>  * In WordPress 4.1 and higher, files with invalid or unsafe names
>    could be uploaded. Discovered by Michael Kapfer and Sebastian
>    Kraemer of HSASec.
>  * In WordPress 3.9 and higher, a very limited cross-site scripting
>    vulnerability could be used as part of a social engineering attack.
>    Discovered by Jakub Zoczek.
>  * Some plugins were vulnerable to an SQL injection vulnerability.
>    Discovered by Ben Bidner of the WordPress security team.
> We also made four hardening changes, discovered by J.D. Grimes, Divyesh
> Prajapati, Allan Collins, Marc-Alexandre Montpas and Jeff Bowen.
> We appreciated the responsible disclosure of these issues directly to
> our security team. For more information, see the release notes or
> consult the list of changes.

Could you please assign CVEs to identify the issues fixed by the
latest WordPress release?


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ