|
|
Log in / Subscribe / Register

wordpress: multiple vulnerabilities

Package(s):wordpress CVE #(s):CVE-2015-3438 CVE-2015-3439 CVE-2015-3440
Created:April 27, 2015 Updated:May 21, 2015
Description: From the WordPress announcement:

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Cedric Van Bockhaven and fixed by Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team.

We also fixed three other security issues:

  • In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded. Discovered by Michael Kapfer and Sebastian Kraemer of HSASec.
  • In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack. Discovered by Jakub Zoczek.
  • Some plugins were vulnerable to an SQL injection vulnerability. Discovered by Ben Bidner of the WordPress security team.
Alerts:
Debian-LTS DLA-633-1 wordpress 2016-09-22
Mageia MGASA-2015-0202 wordpress 2015-05-09
Debian DSA-3250-1 wordpress 2015-05-04
Mageia MGASA-2015-0170 wordpress 2015-04-25
Fedora FEDORA-2015-6790 wordpress 2015-05-20
Debian-LTS DLA-236-1 wordpress 2015-06-01
Fedora FEDORA-2015-6808 wordpress 2015-05-20
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds