Debian LTS: DLA-2371-1 Moderate: WordPress Multiple Threats Addressed
debian lts
September 11, 2020
Multiple vulnerabilities were discovered in Wordpress, a popular content management framework
Topics Covered
Summary
CVE-2019-17670
WordPress has a Server Side Request Forgery (SSRF) vulnerability
because Windows paths are mishandled during certain validation of
relative URLs.
CVE-2020-4047
Authenticated users with upload permissions (like authors) are
able to inject JavaScript into some media file attachment pages in
a certain way. This can lead to script execution in the context of
a higher privileged user when the file is viewed by them.
CVE-2020-4048
Due to an issue in wp_validate_redirect() and URL sanitization, an
arbitrary external link can be crafted leading to unintended/open
redirect when clicked.
CVE-2020-4049
When uploading themes, the name of the theme folder can be crafted
in a way that could lead to JavaScript execution in /wp-admin on
the themes page.
CVE-2020-4050
Misuse of the `set-screen-option` filter's return value allows
arbitrary user meta fields to be saved. It does require an admin
PREVIOUS 
NEXT Package: wordpress
Version: 4.7.18+dfsg-1+deb9u1
CVE ID: CVE-2019-17670 CVE-2020-4047 CVE-2020-4048 CVE-2020-4049
Debian Bug: 942459 962685
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!