Subject: [ASA-201701-22] wordpress: multiple issues Arch Linux Security Advisory ASA-201701-22 ========================================== Severity: High Date : 2017-01-15 CVE-ID : CVE-2016-10033 CVE-2016-10045 CVE-2017-5487 CVE-2017-5488 CVE-2017-5489 CVE-2017-5490 CVE-2017-5491 CVE-2017-5492 CVE-2017-5493 Package : wordpress Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-142 Summary ======= The package wordpress before version 4.7.1-1 is vulnerable to multiple issues including arbitrary code execution, cross-site scripting, access restriction bypass, cross-site request forgery and insufficient validation. Resolution ========== Upgrade to 4.7.1-1. # pacman -Syu "wordpress>=4.7.1-1" The problems have been fixed upstream in version 4.7.1. Workaround ========== None. Description =========== - CVE-2016-10033 (arbitrary code execution) A vulnerability has been discovered in PHPMailer that could potentially be used by unauthenticated remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application. This issue can be triggered by passing a maliciously crafted expression to the vulnerable application. - CVE-2016-10045 (arbitrary code execution) It has been discovered that the first patch of the vulnerability CVE-2016-10033 in PHPMailer was incomplete and could potentially still be used by unauthenticated remote attackers to achieve remote arbitrary code execution in the context of the web server user and remotely compromise the target web application. This issue can be triggered by passing a maliciously crafted expression to the vulnerable application. - CVE-2017-5487 (access restriction bypass) A vulnerability has been discovered in wordpress exposing user data for all users who had authored a post of a public post type via the REST API. wordpress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API. - CVE-2017-5488 (cross-site scripting) A cross-site scripting (XSS) vulnerability has been discovered in wordpress via the plugin name or version header on update-core.php. - CVE-2017-5489 (cross-site request forgery) A cross-site request forgery (CSRF) bypass has been discovered in wordpress via uploading a Flash file. - CVE-2017-5490 (cross-site scripting) A cross-site scripting (XSS) vulnerability has been discovered in wordpress via theme name fallback. - CVE-2017-5491 (access restriction bypass) A vulnerability has been discovered in wordpress allowing to post via email as it checks for mail.example.com if default settings aren't changed. - CVE-2017-5492 (cross-site request forgery) A cross-site request forgery (CSRF) vulnerability has been discovered in wordpress in the accessibility mode of widget editing. - CVE-2017-5493 (insufficient validation) An insufficient validation vulnerability has been discovered in wordpress leading to weak cryptographic security for multisite activation key. Impact ====== A remote attacker is able to perform a cross-site scripting or cross- site request forgery attack or possibly execute arbitrary code on the affected host. References ========== https://bugs.archlinux.org/task/52555 https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-release/ http://seclists.org/oss-sec/2017/q1/95 https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html https://github.com/WordPress/WordPress/commit/daf358983cc1ce0c77bf6d2de2ebbb43df2add60 https://github.com/WordPress/WordPress/commit/c9ea1de1441bb3bda133bf72d513ca9de66566c2 https://github.com/WordPress/WordPress/commit/ce7fb2934dd111e6353784852de8aea2a938b359 https://github.com/WordPress/WordPress/commit/061e8788814ac87706d8b95688df276fe3c8596a https://github.com/WordPress/WordPress/commit/03e5c0314aeffe6b27f4b98fef842bf0fb00c733 https://github.com/WordPress/WordPress/commit/cea9e2dc62abf777e06b12ec4ad9d1aaa49b29f4 https://security.archlinux.org/CVE-2016-10033 https://security.archlinux.org/CVE-2016-10045 https://security.archlinux.org/CVE-2017-5487 https://security.archlinux.org/CVE-2017-5488 https://security.archlinux.org/CVE-2017-5489 https://security.archlinux.org/CVE-2017-5490 https://security.archlinux.org/CVE-2017-5491 https://security.archlinux.org/CVE-2017-5492 https://security.archlinux.org/CVE-2017-5493