Re: Re: Possible CVE Request: Wordpress 4.1.2 security release

[Hanno Böck <hanno () hboeck de>]

On Tue, 28 Apr 2015 15:27:03 -0400 (EDT)
cve-assign () mitre org wrote:

> > https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_query_arg-usage/
>
> > Due to a now-fixed ambiguity in the documentation for the
> > add_query_arg() and remove_query_arg() functions, many plugins were
> > using them incorrectly, allowing for potential XSS attack vectors in
> > their code.
>
> We feel that this documentation ambiguity isn't necessarily a
> vulnerability in the WordPress product itself. There seems to be
> related documentation of add_query_arg within the
> wp-includes/functions.php file. If the vendor decides to change the
> documentation at
> https://core.trac.wordpress.org/browser/trunk/src/wp-includes/functions.php
> and wants a CVE ID for that, then we would assign one.

I think the issues here are vulnerabilities in plugins.

Sources:
https://scrutinizer-ci.com/blog/php-security-analysis-finds-xss-vulnerability-in-popular-wordpress-plugins
https://yoast.com/coordinated-security-release/
https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html

The sucuri blog post lists a whole number of affected plugins. Maybe at
least the more popular ones (jetpack, wordpress seo, google analytics
by yoast, all in one seo) should get their own CVEs.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: _bin
Description: OpenPGP digital signature