Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Jan 2017 07:13:04 +0100
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: CVE Request: Wordpress: 4.7.2 security release: unauthorized bypass,
 SQL injection, cross-site scripting issues

Hi

Wordpress has released 4.7.2 as security release. Quoting from the
advisory there seem to be three issues fixed (full quoting for the
list archives):

WordPress 4.7.2 is now available. This is a security release for all previous
versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.7.1 and earlier are affected by three security issues:

 1/ The user interface for assigning taxonomy terms in Press This is shown to
users who do not have permissions to use it. Reported by David Herrera of Alley
Interactive.

 2/ WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data.
WordPress core is not directly vulnerable to this issue, but we’ve added
hardening to prevent plugins and themes from accidentally causing a
vulnerability. Reported by Mo Jangda (batmoo).

 3/ A cross-site scripting (XSS) vulnerability was discovered in the posts list
table. Reported by Ian Dunn of the WordPress Security Team.

https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/

Could you please assign CVEs for those issues?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ