oss-sec mailing list archives
Re: Possible CVE Request: Wordpress 4.1.2 security release
From: cve-assign () mitre org
Date: Tue, 28 Apr 2015 15:27:03 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are CVE IDs for some of the vulnerabilities fixed in either 4.1.2 or 4.2.1.
http://codex.wordpress.org/Version_4.1.2 https://wordpress.org/news/2015/04/wordpress-4-1-2/
WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team.
Use CVE-2015-3438. We don't know whether this is related to, for example, the https://core.trac.wordpress.org/changeset/32167 change. Our expectation is that this is not related to the https://core.trac.wordpress.org/changeset/32176 change, because the 4.1.2 announcement says "Four hardening changes, including better validation of post titles within the Dashboard." (There are currently no CVE IDs being assigned for the "Four hardening changes.")
In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
We feel that there isn't yet enough information available to determine the correct number of CVE IDs. This could possibly be related to https://core.trac.wordpress.org/changeset/32172 (if wp_check_filetype had been using a problematic regular expression that resulted in incorrect conclusions about safe file extensions), or https://core.trac.wordpress.org/changeset/32169 (if the issue was in the Plupload codebase), or both.
In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
Use CVE-2015-3439. We don't know whether this is related to, for example, the https://core.trac.wordpress.org/changeset/32167 change.
Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.
We feel that there isn't yet enough information available to determine the correct number of CVE IDs. This could possibly be related to the https://core.trac.wordpress.org/changeset/32165 and https://core.trac.wordpress.org/changeset/32163 changes. In general, it seems possible that one change to the validation of SQL statements resolved SQL injection vulnerabilities affecting the use of plugins in one set of WordPress versions, and another change to the validation of SQL statements resolved SQL injection vulnerabilities affecting the use of plugins in a different set of WordPress versions.
https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_query_arg-usage/
Due to a now-fixed ambiguity in the documentation for the add_query_arg() and remove_query_arg() functions, many plugins were using them incorrectly, allowing for potential XSS attack vectors in their code.
We feel that this documentation ambiguity isn't necessarily a vulnerability in the WordPress product itself. There seems to be related documentation of add_query_arg within the wp-includes/functions.php file. If the vendor decides to change the documentation at https://core.trac.wordpress.org/browser/trunk/src/wp-includes/functions.php and wants a CVE ID for that, then we would assign one.
http://codex.wordpress.org/Version_4.2.1 https://wordpress.org/news/2015/04/wordpress-4-2-1/ https://core.trac.wordpress.org/changeset/32299
a cross-site scripting vulnerability, which could enable commenters to compromise a site. The vulnerability was discovered by Jouko Pynnonen.
WPDB: Sanity check that any strings being stored in the DB are not too long to store correctly.
Use CVE-2015-3440. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVP929AAoJEKllVAevmvmsU+sH/2iJF4qrDkW1QY27QFktZSvg YF/zQR7jVLHs+74UPyWHMlAgBMxx4y54GUgukvnytE6lI8LMuz6aMJOjbSg+5jWT jZ2mSSbPceH8Bm4cmh4/2dStBDgxFJxFvRm1Lr/9zNpcS4IYRWkZuaKtJbNkBs2X /j+rMdzmtYY2B+naNOkHtGjRloRZE5apd1zRRtS559fho/l6kFSrXMa0uNbdL1eu eG3+BnkRDj6v/zKRpqLW9FXVmiQWu+VW1TIqqCuliD2vjTbSRqEvAtm9GsmUOUhk fJujPRPZbLXLCbZmsJQ/D5tk0VRkXjGi47xhqb7chV5D5JvHDmxVFZuG+duCmQQ= =GzWO -----END PGP SIGNATURE-----
Current thread:
- Possible CVE Request: Wordpress 4.1.2 security release Salvatore Bonaccorso (Apr 26)
- Re: Possible CVE Request: Wordpress 4.1.2 security release cve-assign (Apr 28)
- Re: Re: Possible CVE Request: Wordpress 4.1.2 security release Hanno Böck (Apr 28)
- Re: Possible CVE Request: Wordpress 4.1.2 security release cve-assign (Apr 28)