ArchLinux: 201609-4: wordpress: multiple issues
Summary
- CVE-2016-7168 (cross-site scripting)
A cross-site scripting vulnerability via an image filename, reported by
SumOfPwm researcher Cengiz Han Sahin.
- CVE-2016-7169 (directory traversal)
A directory traversal vulnerability in the upgrade package uploader, reported
by Dominik Schilling from the Wordpress security team.
Resolution
Upgrade to 4.6-1.
# pacman -Syu "wordpress>=4.6-1"
The problem has been fixed upstream in version 4.6.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7168 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7169 https://www.openwall.com/lists/oss-security/2016/09/08/19 https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/ https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_vulnerability_in_wordpress_due_to_unsafe_processing_of_file_names.html
Workaround
None.