Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 28 Apr 2015 22:40:28 +0200
From: Hanno Böck <>
Subject: Re: Re: Possible CVE Request: Wordpress 4.1.2
 security release

On Tue, 28 Apr 2015 15:27:03 -0400 (EDT) wrote:

> >
> > Due to a now-fixed ambiguity in the documentation for the
> > add_query_arg() and remove_query_arg() functions, many plugins were
> > using them incorrectly, allowing for potential XSS attack vectors in
> > their code.
> We feel that this documentation ambiguity isn't necessarily a
> vulnerability in the WordPress product itself. There seems to be
> related documentation of add_query_arg within the
> wp-includes/functions.php file. If the vendor decides to change the
> documentation at
> and wants a CVE ID for that, then we would assign one.

I think the issues here are vulnerabilities in plugins.


The sucuri blog post lists a whole number of affected plugins. Maybe at
least the more popular ones (jetpack, wordpress seo, google analytics
by yoast, all in one seo) should get their own CVEs.

Hanno Böck


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ