Package: wordpress Version: 6.0.2+dfsg1-1 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
WordPress 6.0.3 is out and fixes many, many, many security issues: * Stored XSS via wp-mail.php (post by email) * Open redirect in `wp_nonce_ays` * Sender’s email address is exposed in wp-mail.php * Media Library – Reflected XSS via SQLi * CSRF in wp-trackback.php * Stored XSS via the Customizer * Revert shared user instances introduced in 50790 * Stored XSS in WordPress Core via Comment Editing * Data exposure via the REST Terms/Tags Endpoint * Content from multipart emails leaked * SQL Injection due to improper sanitization in `WP_Date_Query` * RSS Widget: Stored XSS issue * Stored XSS in the search block * Feature Image Block: XSS issue * RSS Block: Stored XSS issue * Fix widget block XSS -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.18.0-3-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
