Date: Tue, 28 Apr 2015 22:40:28 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: Re: Possible CVE Request: Wordpress 4.1.2 security release On Tue, 28 Apr 2015 15:27:03 -0400 (EDT) cve-assign@...re.org wrote: > > https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_query_arg-usage/ > > > Due to a now-fixed ambiguity in the documentation for the > > add_query_arg() and remove_query_arg() functions, many plugins were > > using them incorrectly, allowing for potential XSS attack vectors in > > their code. > > We feel that this documentation ambiguity isn't necessarily a > vulnerability in the WordPress product itself. There seems to be > related documentation of add_query_arg within the > wp-includes/functions.php file. If the vendor decides to change the > documentation at > https://core.trac.wordpress.org/browser/trunk/src/wp-includes/functions.php > and wants a CVE ID for that, then we would assign one. I think the issues here are vulnerabilities in plugins. Sources: https://scrutinizer-ci.com/blog/php-security-analysis-finds-xss-vulnerability-in-popular-wordpress-plugins https://yoast.com/coordinated-security-release/ https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html The sucuri blog post lists a whole number of affected plugins. Maybe at least the more popular ones (jetpack, wordpress seo, google analytics by yoast, all in one seo) should get their own CVEs. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ