oss-sec mailing list archives

CVE Requests for WordPress 3.6.1

From: Andrew Nacin <nacin () wordpress org>
Date: Wed, 11 Sep 2013 17:28:26 -0400

Three issues fixed in WordPress 3.6.1:
http://codex.wordpress.org/Version_3.6.1

 * Unsafe PHP unserialization. CWE-502.
http://core.trac.wordpress.org/changeset/25325.

 * Open Redirect / Insufficient Input Validation. CWE-601.
http://core.trac.wordpress.org/changeset/25323 and
http://core.trac.wordpress.org/changeset/25324.

 * Privilege Escalation: a user with an Author role, using a specially
crafted request, was able to create a post that was marked as "written by"
another user. http://core.trac.wordpress.org/changeset/25321.

Current thread:

CVE Requests for WordPress 3.6.1 Andrew Nacin (Sep 11)
- Re: CVE Requests for WordPress 3.6.1 Kurt Seifried (Sep 11)