Source: wordpress Version: 5.4.1+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 WordPress 5.4.2 is out and fixes the following vulnerabilities: Props to Sam Thomas (jazzy2fives) for finding an XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor. https://core.trac.wordpress.org/changeset/47948 All releases Props to Luigi – (gubello.me) for discovering an XSS issue where authenticated users with upload permissions are able to add JavaScript to media files. https://core.trac.wordpress.org/changeset/47947 (I think) All releases Props to Ben Bidner of the WordPress Security Team for finding an open redirect issue in wp_validate_redirect(). https://core.trac.wordpress.org/changeset/47949 All releases Props to Nrimo Ing Pandum for finding an authenticated XSS issue via theme uploads. https://core.trac.wordpress.org/changeset/47950 All releases Props to Simon Scannell of RIPS Technologies for finding an issue where set-screen-option can be misused by plugins leading to privilege escalation. https://core.trac.wordpress.org/changeset/47951 All releases Props to Carolina Nymark for discovering an issue where comments from password-protected posts and pages could be displayed under certain conditions. https://core.trac.wordpress.org/changeset/47984 All releases There is also a fix for unmoderated comments visible to indexers which will be backported. WordPress say its not a security issue, but seems like you are getting the site to do something that it shouldn't. https://make.wordpress.org/core/2020/06/09/wordpress-5-4-2-prevent-unmoderated-comments-from-search-engine-indexation/ https://core.trac.wordpress.org/ticket/49956 https://core.trac.wordpress.org/changeset/47887 https://core.trac.wordpress.org/changeset/47889 Present: 5.4 only (5.1 onwards, see the ticket) - -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEXT3w9TizJ8CqeneiAiFmwP88hOMFAl7iwOsSHGNzbWFsbEBk ZWJpYW4ub3JnAAoJEAIhZsD/PITjYIAP/R+4+bSwUXz0IPSijvsH4PkIICe3k1wj dBSgFWWjFcVyYZwbpQ5SqgyspGG5aFhQPNWiSAvv0BILWY///jbPmsSoqz0s58xC QcjBkUiif1GDZq60IaA8igy2eotD90FQxr8Y16iDFSbkC0U3x4sV1UW3WlDEyxnW ILRusFo8m0L9J+rTQUxu0SGHK4WM2nvCGNp1U3l5/JreKZxlLIeoy+y44GsCPktn 8wDIqZ91bUpfhUcyL7BZu7g94cUnC8RhZxX//TiVYlH54pXneascPuedZAGV/qi6 0TMTuSvdPd9/pKtKhCo2jUb70CRWiP4r3QDgRM7oqcx8jLaLvBcvWmaAQjpc6eZB jgRX6HAEkm2CVFor4VtwRH/726RLLm34IokYnXU74Wp+LVjtXIYMLoP/fkbEvJW4 ClrMMEUe/+bkWLmWu6iGdbNM325eFsTvkDOngCNV/g/lsEp5gzHZwCwzL+0J21ds /KglCuE+BRn4XSCCxOEU+HS7EM8A+NWrO95elryeVE2SRQb/11F8s6TkIMMMqFPD B4m8+J5Ooj7LzS3dErVuXlOOVX0YXFVOL6AThfitW9SHOn37NmRsvOuSJCySKdI6 60A7WJvuH460JcpASDSR4XoJpBy+NnAkA4uTJ9ihlLKbZBkhy+vS/E/6M73yL9Aw QCZSPwT6j/lX =E8qn -----END PGP SIGNATURE-----
