Arch Linux Security Advisory ASA-201703-14 ========================================== Severity: Medium Date : 2017-03-16 CVE-ID : CVE-2017-6814 CVE-2017-6815 CVE-2017-6816 CVE-2017-6817 CVE-2017-6818 CVE-2017-6819 Package : wordpress Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-202 Summary ======= The package wordpress before version 4.7.3-1 is vulnerable to multiple issues including cross-site request forgery, cross-site scripting and insufficient validation. Resolution ========== Upgrade to 4.7.3-1. # pacman -Syu "wordpress>=4.7.3-1" The problems have been fixed upstream in version 4.7.3. Workaround ========== None. Description =========== - CVE-2017-6814 (cross-site scripting) An authenticated cross-site scripting (XSS) vulnerability has been discovered in WordPress before 4.7.3 via Media File Metadata. This is demonstrated by both (1) mishandling of the playlist shortcode in the wp_playlist_shortcode function in wp-includes/media.php and (2) mishandling of meta information in the renderTracks function in wp- includes/js/mediaelement/wp-playlist.js. - CVE-2017-6815 (insufficient validation) A vulnerability has been discovered in WordPress before 4.7.3 (wp- includes/pluggable.php) that certain control characters can trick redirect URL validation. - CVE-2017-6816 (insufficient validation) It has been discovered that unintended files can be deleted by administrators in WordPress before 4.7.3 (wp-admin/plugins.php) using the plugin deletion functionality. - CVE-2017-6817 (cross-site scripting) An authenticated cross-site scripting (XSS) vulnerability has been discovered in in WordPress before 4.7.3 (wp-includes/embed.php) via YouTube URL Embeds. - CVE-2017-6818 (cross-site scripting) A cross-site scripting (XSS) vulnerability has been discovered in WordPress before 4.7.3 (wp-admin/js/tags-box.js) via taxonomy term names. - CVE-2017-6819 (cross-site request forgery) A cross-site request forgery (CSRF) vulnerability exists on the Press This page of WordPress. This issue can be used to create a Denial of Service (DoS) condition if an authenticated administrator visits a malicious URL. Impact ====== A remote attacker is able to execute arbitrary javascript on the clients machine or perform a denial of service attack against the server by tricking an administrator to visit a certain site. Furthermore a malicious administrator is able to delete unintended files from the server. References ========== https://codex.wordpress.org/Version_4.7.3 https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7 https://sumofpwn.nl/advisory/2016/wordpress_audio_playlist_functionality_is_affected_by_cross_site_scripting.html https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663 https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8 https://github.com/WordPress/WordPress/commit/9092fd01e1f452f37c313d38b18f9fe6907541f9 https://sumofpwn.nl/advisory/2016/cross_site_request_forgery_in_wordpress_press_this_function_allows_dos.html https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829 https://security.archlinux.org/CVE-2017-6814 https://security.archlinux.org/CVE-2017-6815 https://security.archlinux.org/CVE-2017-6816 https://security.archlinux.org/CVE-2017-6817 https://security.archlinux.org/CVE-2017-6818 https://security.archlinux.org/CVE-2017-6819