oss-sec mailing list archives
CVE Request: Wordpress: 4.7.2 security release: unauthorized bypass, SQL injection, cross-site scripting issues
From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 27 Jan 2017 07:13:04 +0100
Hi Wordpress has released 4.7.2 as security release. Quoting from the advisory there seem to be three issues fixed (full quoting for the list archives): WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.1 and earlier are affected by three security issues: 1/ The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive. 2/ WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo). 3/ A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team. https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ Could you please assign CVEs for those issues? Regards, Salvatore
Current thread:
- CVE Request: Wordpress: 4.7.2 security release: unauthorized bypass, SQL injection, cross-site scripting issues Salvatore Bonaccorso (Jan 26)