|
|
Log in / Subscribe / Register

wordpress: multiple vulnerabilities

Package(s):wordpress CVE #(s):CVE-2015-8834 CVE-2016-4029 CVE-2016-6634 CVE-2016-6635
Created:September 23, 2016 Updated:October 3, 2016
Description:

From the Debian-LTS advisory:

CVE-2015-8834 - Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440

CVE-2016-4029 - WordPress before 4.5 does not consider octal and hexadecimal IP address formats when determining an intranet address, which allows remote attackers to bypass an intended SSRF protection mechanism via a crafted address.

CVE-2016-6634 - Cross-site scripting (XSS) vulnerability in the network settings page in WordPress before 4.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2016-6635 - Cross-site request forgery (CSRF) vulnerability in the wp_ajax_wp_compression_test function in wp-admin/includes/ajax- actions.php in WordPress before 4.5 allows remote attackers to hijack the authentication of administrators for requests that change the script compression option.

Alerts:
Debian DSA-3681-2 wordpress 2016-10-01
Debian DSA-3681-1 wordpress 2016-09-29
Debian-LTS DLA-633-1 wordpress 2016-09-22
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds