ArchLinux: 201701-22: wordpress: multiple issues
Summary
- CVE-2016-10033 (arbitrary code execution)
A vulnerability has been discovered in PHPMailer that could potentially
be used by unauthenticated remote attackers to achieve remote arbitrary
code execution in the context of the web server user and remotely
compromise the target web application. This issue can be triggered by
passing a maliciously crafted expression to the vulnerable application.
- CVE-2016-10045 (arbitrary code execution)
It has been discovered that the first patch of the vulnerability
CVE-2016-10033 in PHPMailer was incomplete and could potentially still
be used by unauthenticated remote attackers to achieve remote arbitrary
code execution in the context of the web server user and remotely
compromise the target web application. This issue can be triggered by
passing a maliciously crafted expression to the vulnerable application.
- CVE-2017-5487 (access restriction bypass)
A vulnerability has been discovered in wordpress exposing user data for
all users who had authored a post of a public post type via the REST
API. wordpress 4.7.1 limits this to only post types which have
specified that they should be shown within the REST API.
- CVE-2017-5488 (cross-site scripting)
A cross-site scripting (XSS) vulnerability has been discovered in
wordpress via the plugin name or version header on update-core.php.
- CVE-2017-5489 (cross-site request forgery)
A cross-site request forgery (CSRF) bypass has been discovered in
wordpress via uploading a Flash file.
- CVE-2017-5490 (cross-site scripting)
A cross-site scripting (XSS) vulnerability has been discovered in
wordpress via theme name fallback.
- CVE-2017-5491 (access restriction bypass)
A vulnerability has been discovered in wordpress allowing to post via
email as it checks for mail. if default settings aren't
changed.
- CVE-2017-5492 (cross-site request forgery)
A cross-site request forgery (CSRF) vulnerability has been discovered
in wordpress in the accessibility mode of widget editing.
- CVE-2017-5493 (insufficient validation)
An insufficient validation vulnerability has been discovered in
wordpress leading to weak cryptographic security for multisite
activation key.
Resolution
Upgrade to 4.7.1-1.
# pacman -Syu "wordpress>=4.7.1-1"
The problems have been fixed upstream in version 4.7.1.
References
https://bugs.archlinux.org/task/52555 https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ https://seclists.org/oss-sec/2017/q1/95 https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html https://github.com/WordPress/WordPress/commit/daf358983cc1ce0c77bf6d2de2ebbb43df2add60 https://github.com/WordPress/WordPress/commit/c9ea1de1441bb3bda133bf72d513ca9de66566c2 https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359 https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733 https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4 https://security.archlinux.org/CVE-2016-10033 https://security.archlinux.org/CVE-2016-10045 https://security.archlinux.org/CVE-2017-5487 https://security.archlinux.org/CVE-2017-5488 https://security.archlinux.org/CVE-2017-5489 https://security.archlinux.org/CVE-2017-5490 https://security.archlinux.org/CVE-2017-5491 https://security.archlinux.org/CVE-2017-5492 https://security.archlinux.org/CVE-2017-5493
Workaround
None.