Mandriva Linux Security Advisory : wordpress (MDVSA-2014:103)
Medium Nessus Plugin ID 74081
SynopsisThe remote Mandriva Linux host is missing a security update.
DescriptionMultiple vulnerabilities has been discovered and corrected in wordpress :
WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php (CVE-2014-0165).
The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie (CVE-2014-0166).
The updated packages have been patched to correct these issues.
SolutionUpdate the affected wordpress package.