Source: wordpress Version: 4.7+dfsg-2 Severity: grave Tags: upstream security Justification: user security hole
There are a bunch of security holes in wordpress 4.7. Eight! security issues! The best summary of them is at [1] which lists them as: WordPress 4.3-4.7 - Potential Remote Command Execution (RCE) in PHPMailer WordPress 4.7 - User Information Disclosure via REST API WordPress 2.9-4.7 - Authenticated Cross-Site scripting (XSS) in update-core.php WordPress 4.7 - Cross-Site Request Forgery (CSRF) via Flash Upload WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback WordPress <= 4.7 - Post via Email Checks mail.example.com by Default WordPress 2.8-4.7 - Accessibility Mode Cross-Site Request Forgery (CSRF) WordPress 3.0-4.7 - Cryptographically Weak Pseudo-Random Number Generator (PRNG) Wordpress 4.7.1 apparently fixes them.[2] Sigh. 1: https://wpvulndb.com/wordpresses 2: https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.8.0-2-amd64 (SMP w/6 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)