Debian LTS: DLA-1673-1: wordpress security update

    Date11 Feb 2019
    CategoryDebian LTS
    Posted ByLinuxSecurity Advisories
    CVE-2018-20147 Authors could modify metadata to bypass intended restrictions on
    Package        : wordpress
    Version        : 4.1.25+dfsg-1+deb8u1
    CVE ID         : CVE-2018-20147 CVE-2018-20148 CVE-2018-20149
                     CVE-2018-20150 CVE-2018-20151 CVE-2018-20152
    Debian Bug     : 916403
        Authors could modify metadata to bypass intended restrictions on
        deleting files.
        Contributors could conduct PHP object injection attacks via crafted
        metadata in a wp.getMediaItem XMLRPC call. This is caused by
        mishandling of serialized data at phar:// URLs in the
        wp_get_attachment_thumb_file function in wp-includes/post.php.
        When the Apache HTTP Server is used, authors could upload crafted
        files that bypass intended MIME type restrictions, leading to XSS,
        as demonstrated by a .jpg file without JPEG data.
        Crafted URLs could trigger XSS for certain use cases involving
        The user-activation page could be read by a search engine's web
        crawler if an unusual configuration were chosen. The search engine
        could then index and display a user's e-mail address and (rarely)
        the password that was generated by default.
        Authors could bypass intended restrictions on post types via crafted
        Contributors could modify new comments made by users with greater
        privileges, possibly causing XSS.
    For Debian 8 "Jessie", these problems have been fixed in version
    We recommend that you upgrade your wordpress packages.
    Further information about Debian LTS security advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at:
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"6","type":"x","order":"1","pct":54.55,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":27.27,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"2","type":"x","order":"3","pct":18.18,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.