FreeBSD : wordpress -- multiple vulnerabilities (043d3a78-f245-4938-9bc7-3d0d35dd94bf)

high Nessus Plugin ID 70515

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

The wordpress development team reports :

- Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution.

- Prevent a user with an Author role, using a specially crafted request, from being able to create a post 'written by' another user.

- Fix insufficient input validation that could result in redirecting or leading a user to another website.

Additionally, we've adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting.

Solution

Update the affected packages.

See Also

https://wordpress.org/news/2013/09/wordpress-3-6-1/

http://www.nessus.org/u?5a11591e

Plugin Details

Severity: High

ID: 70515

File Name: freebsd_pkg_043d3a78f24549389bc73d0d35dd94bf.nasl

Version: 1.8

Type: local

Published: 10/20/2013

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:de-wordpress, p-cpe:/a:freebsd:freebsd:ja-wordpress, p-cpe:/a:freebsd:freebsd:ru-wordpress, p-cpe:/a:freebsd:freebsd:wordpress, p-cpe:/a:freebsd:freebsd:zh-wordpress-zh_cn, p-cpe:/a:freebsd:freebsd:zh-wordpress-zh_tw, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 10/19/2013

Vulnerability Publication Date: 9/11/2013

Reference Information

CVE: CVE-2013-4338, CVE-2013-4339, CVE-2013-4340, CVE-2013-5738, CVE-2013-5739