AVG-1257 log

Package wordpress
Status Fixed
Severity Critical
Type multiple issues
Affected 5.5.1-1
Fixed 5.5.3-1
Current 6.4.3-1 [extra]
Ticket None
Created Mon Nov 2 07:35:52 2020
Issue Severity Remote Type Description
CVE-2020-28040 High Yes Cross-site request forgery
WordPress before 5.5.2 allows CSRF attacks that change a theme's background image.
CVE-2020-28039 High Yes Insufficient validation
is_protected_meta in wp-includes/meta.php in WordPress before 5.5.2 allows arbitrary file deletion because it does not properly determine whether a meta key...
CVE-2020-28038 High Yes Cross-site scripting
WordPress before 5.5.2 allows stored XSS via post slugs.
CVE-2020-28037 Critical Yes Arbitrary code execution
is_blog_installed in wp-includes/functions.php in WordPress before 5.5.2 improperly determines whether WordPress is already installed, which might allow an...
CVE-2020-28036 High Yes Privilege escalation
wp-includes/class-wp-xmlrpc-server.php in WordPress before 5.5.2 allows attackers to gain privileges by using XML-RPC to comment on a post.
CVE-2020-28035 High Yes Privilege escalation
WordPress before 5.5.2 allows attackers to gain privileges via XML- RPC.
CVE-2020-28034 High Yes Cross-site scripting
WordPress before 5.5.2 allows XSS associated with global variables.
CVE-2020-28033 Medium Yes Insufficient validation
WordPress before 5.5.2 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed.
CVE-2020-28032 High Yes Arbitrary code execution
WordPress before 5.5.2 mishandles deserialization requests in wp- includes/Requests/Utility/FilteredIterator.php.
Date Advisory Package Type
03 Nov 2020 ASA-202011-3 wordpress multiple issues
References
https://wordpress.org/news/2020/10/wordpress-5-5-2-security-and-maintenance-release/