Vulnerability   
Search   
    Search 187964 CVE descriptions
and 85075 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.892269
Category:Debian Local Security Checks
Title:Debian LTS: Security Advisory for wordpress (DLA-2269-1)
Summary:The remote host is missing an update for the 'wordpress'; package(s) announced via the DLA-2269-1 advisory.
Description:Summary:
The remote host is missing an update for the 'wordpress'
package(s) announced via the DLA-2269-1 advisory.

Vulnerability Insight:
Several vulnerabilities were discovered in Wordpress, a web
blogging tool. They allowed remote attackers to perform
various Cross-Side Scripting (XSS) attacks, create open
redirects, escalate privileges, and bypass authorization
access.

CVE-2020-4046

In affected versions of WordPress, users with low
privileges (like contributors and authors) can use the
embed block in a certain way to inject unfiltered HTML
in the block editor. When affected posts are viewed by a
higher privileged user, this could lead to script
execution in the editor/wp-admin.

CVE-2020-4047

In affected versions of WordPress, authenticated users with
upload permissions (like authors) are able to inject
JavaScript into some media file attachment pages in a certain
way. This can lead to script execution in the context of a
higher privileged user when the file is viewed by them.

CVE-2020-4048

In affected versions of WordPress, due to an issue in
wp_validate_redirect() and URL sanitization, an arbitrary
external link can be crafted leading to unintended/open
redirect when clicked.

CVE-2020-4049

In affected versions of WordPress, when uploading themes, the
name of the theme folder can be crafted in a way that could
lead to JavaScript execution in /wp-admin on the themes page.
This does require an admin to upload the theme, and is low
severity self-XSS.

CVE-2020-4050

In affected versions of WordPress, misuse of the
`set-screen-option` filter's return value allows arbitrary
user meta fields to be saved. It does require an admin to
install a plugin that would misuse the filter. Once installed,
it can be leveraged by low privileged users.

Affected Software/OS:
'wordpress' package(s) on Debian Linux.

Solution:
For Debian 8 'Jessie', these problems have been fixed in version
4.1.31+dfsg-0+deb8u1.

We recommend that you upgrade your wordpress packages.

CVSS Score:
6.0

CVSS Vector:
AV:N/AC:M/Au:S/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2020-4046
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-rpwf-hrh2-39jf
Debian Security Information: DSA-4709 (Google Search)
https://www.debian.org/security/2020/dsa-4709
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ODNHXVJS25YVWYQHOCICXTLIN5UYJFDN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/773N2ZV7QEMBGKH6FBKI6Q5S3YJMW357/
https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
https://lists.debian.org/debian-lts-announce/2020/07/msg00000.html
Common Vulnerability Exposure (CVE) ID: CVE-2020-4047
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-8q2w-5m27-wm27
https://github.com/WordPress/wordpress-develop/commit/0977c0d6b241479ecedfe19e96be69f727c3f81f
https://lists.debian.org/debian-lts-announce/2020/09/msg00011.html
Common Vulnerability Exposure (CVE) ID: CVE-2020-4048
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-q6pw-gvf4-5fj5
https://github.com/WordPress/wordpress-develop/commit/6ef777e9a022bee2a80fa671118e7e2657e52693
Common Vulnerability Exposure (CVE) ID: CVE-2020-4049
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-87h4-phjv-rm6p
https://github.com/WordPress/wordpress-develop/commit/404f397b4012fd9d382e55bf7d206c1317f01148
Common Vulnerability Exposure (CVE) ID: CVE-2020-4050
https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-4vpv-fgg2-gcqc
https://github.com/WordPress/wordpress-develop/commit/b8dea76b495f0072523106c6ec46b9ea0d2a0920
CopyrightCopyright (C) 2020 Greenbone Networks GmbH

This is only one of 85075 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2020 E-Soft Inc. All rights reserved.