Detections
Analytics

FreeBSD : wordpress -- multiple issues (459df1ba-051c-11ea-9673-4c72b94353b5)

high Nessus Plugin ID 130921

Language:

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

wordpress developers reports :

Props to Evan Ricafort for finding an issue where stored XSS (cross-site scripting) could be added via the Customizer.

rops to J.D. Grimes who found and disclosed a method of viewing unauthenticated posts.

Props to Weston Ruter for finding a way to create a stored XSS to inject JavaScript into style tags.

rops to David Newman for highlighting a method to poison the cache of JSON GET requests via the Vary: Origin header.

Props to Eugene Kolodenker who found a server-side request forgery in the way that URLs are validated.

Props to Ben Bidner of the WordPress Security Team who discovered issues related to referrer validation in the admin.

Solution

Update the affected packages.

See Also

https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/

http://www.nessus.org/u?edae2276

Plugin Details

Severity: High

ID: 130921

File Name: freebsd_pkg_459df1ba051c11ea96734c72b94353b5.nasl

Version: 1.1

Type: local

Published: 11/13/2019

Updated: 11/13/2019

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:de-wordpress, p-cpe:/a:freebsd:freebsd:fr-wordpress, p-cpe:/a:freebsd:freebsd:ja-wordpress, p-cpe:/a:freebsd:freebsd:ru-wordpress, p-cpe:/a:freebsd:freebsd:wordpress, p-cpe:/a:freebsd:freebsd:zh_cn-wordpress, p-cpe:/a:freebsd:freebsd:zh_tw-wordpress, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 11/12/2019

Vulnerability Publication Date: 10/14/2019