Debian LTS DLA-2429-1 Wordpress Security Update for Multiple Threats
debian lts
November 3, 2020
There were several vulnerabilites reported against wordpress, as follows: CVE-2020-28032
Topics Covered
Summary
CVE-2020-28032
WordPress before 4.7.19 mishandles deserialization requests in
wp-includes/Requests/Utility/FilteredIterator.php.
CVE-2020-28033
WordPress before 4.7.19 mishandles embeds from disabled sites
on a multisite network, as demonstrated by allowing a spam
embed.
CVE-2020-28034
WordPress before 4.7.19 allows XSS associated with global
variables.
CVE-2020-28035
WordPress before 4.7.19 allows attackers to gain privileges via
XML-RPC.
CVE-2020-28036
wp-includes/class-wp-xmlrpc-server.php in WordPress before
4.7.19 allows attackers to gain privileges by using XML-RPC to
comment on a post.
CVE-2020-28037
is_blog_installed in wp-includes/functions.php in WordPress
before 4.7.19 improperly determines whether WordPress is
already installed, which might allow an attacker to perform
a new installation, leading to remote code execution (as well
as a denial of service for the old installation).
CVE-2020-28038
PREVIOUS 
NEXT Severity
important
Lowest
Low
Medium
High
Critical
Package: wordpress
Version: 4.7.19+dfsg-1+deb9u1
CVE ID: CVE-2020-28032 CVE-2020-28033 CVE-2020-28034
Debian Bug: 973562
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!