oss-sec mailing list archives
Re: Re: Possible CVE Request: Wordpress 4.1.2 security release
From: Hanno Böck <hanno () hboeck de>
Date: Tue, 28 Apr 2015 22:40:28 +0200
On Tue, 28 Apr 2015 15:27:03 -0400 (EDT) cve-assign () mitre org wrote:
https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_query_arg-usage/Due to a now-fixed ambiguity in the documentation for the add_query_arg() and remove_query_arg() functions, many plugins were using them incorrectly, allowing for potential XSS attack vectors in their code.We feel that this documentation ambiguity isn't necessarily a vulnerability in the WordPress product itself. There seems to be related documentation of add_query_arg within the wp-includes/functions.php file. If the vendor decides to change the documentation at https://core.trac.wordpress.org/browser/trunk/src/wp-includes/functions.php and wants a CVE ID for that, then we would assign one.
I think the issues here are vulnerabilities in plugins. Sources: https://scrutinizer-ci.com/blog/php-security-analysis-finds-xss-vulnerability-in-popular-wordpress-plugins https://yoast.com/coordinated-security-release/ https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html The sucuri blog post lists a whole number of affected plugins. Maybe at least the more popular ones (jetpack, wordpress seo, google analytics by yoast, all in one seo) should get their own CVEs. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- Possible CVE Request: Wordpress 4.1.2 security release Salvatore Bonaccorso (Apr 26)
- Re: Possible CVE Request: Wordpress 4.1.2 security release cve-assign (Apr 28)
- Re: Re: Possible CVE Request: Wordpress 4.1.2 security release Hanno Böck (Apr 28)
- Re: Possible CVE Request: Wordpress 4.1.2 security release cve-assign (Apr 28)