Arch Linux Security Advisory ASA-201508-2
========================================
Severity: High
Date    : 2015-08-07
CVE-ID  : CVE-2015-2213 CVE-2015-5730 CVE-2015-5731 CVE-2015-5732
CVE-2015-5733 CVE-2015-5734
Package : wordpress
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package wordpress before version 4.2.4-1 is vulnerable to multiple
issues, including XSS and SQL injection.

Resolution
=========
Upgrade to 4.2.4-1>.

# pacman -Syu "wordpress>=4.2.4-1"

The problem has been fixed upstream in version 4.2.4.

Workaround
=========
None.

Description
==========
- CVE-2015-2213:

SQL injection in comments ID.

- CVE-2015-5730:

Timing attack in widgets.

- CVE-2015-5731:

Denial of service by locking a post from being edited.

- CVE-2015-5732, CVE-2015-5733 CVE-2015-5734:

XSS.

Impact
=====
A remote attacker could lock a post from being edited, or compromise a
site running wordpress.

References
=========
https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/
https://wordpress.org/documentation/wordpress-version/version-4-2-4/
https://access.redhat.com/security/cve/CVE-2015-2213
https://access.redhat.com/security/cve/CVE-2015-5730
https://access.redhat.com/security/cve/CVE-2015-5731
https://access.redhat.com/security/cve/CVE-2015-5732
https://access.redhat.com/security/cve/CVE-2015-5733
https://access.redhat.com/security/cve/CVE-2015-5734