Wordpress Multiple Vulnerabilities Fixed by 4.3.1


Description   (#Several vulnerabilities were reported in Wordpress' core:#- CVE-2015-5714: cross-site scripting when parsing shortcode tags#- CVE-2015-5715: security bypass allowing an authenticated remote attacker -but without proper permissions, to publish private posts#- cross-site scripting located in the user list table.##The de-wordpress, ja-wordpress, ru-wordpress, wordpress, zh-wordpress-zh_CH and zh-wordpress-zh_TW packages provided by FreeBSD are vulnerable.#Updated, 16/09/2015:#The wordpress packages provided by Debian Squeeze 6, Wheezy 7 and Jessie 8 are vulnerable.)
     
Vulnerable Products   Vulnerable OS:
Fedora (Red Hat) - 21, 22FreeBSD (FreeBSD) - AllGNU/Linux (Debian) - 6, 7, 8Vulnerable Software:
WordPress (WordPress) -
     
Solution   Fixed wordpress packages for Debian Wheezy 7 and Jessie 8 are available.
     
CVE   CVE-2015-5715
CVE-2015-5714
     
References   - WordPress : 4.3.1 Security and Maintenance Release
https://wordpress.org/news/2015/09/wordpress-4-3-1/
- VuXML : wordpress -- multiple vulnerabilities
http://www.vuxml.org/freebsd/f4ce64c2-5bd4-11e5-9040-3c970e169bc2.html
- DebianSecurityTracker : wordpress
https://security-tracker.debian.org/tracker/CVE-2015-5714
https://security-tracker.debian.org/tracker/CVE-2015-5715
https://security-tracker.debian.org/tracker/TEMP-0799140-C9DADC
- FEDORA-2015-15981 : Fedora 22 Update: wordpress-4.3.1-1.fc22
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167701.html
- FEDORA-2015-15982 : Fedora 21 Update: wordpress-4.3.1-1.fc21
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/167729.html
- Debian DLA 321-1 : wordpress security update
https://lists.debian.org/debian-lts-announce/2015/09/msg00018.html
- DSA 3375-1 : wordpress security update
https://lists.debian.org/debian-security-announce/2015/msg00274.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - POST : suspicious 'style' tag found in data
5.0.0
XSS - Prevention - POST : javascript code found in data
5.0.0
XSS - Prevention - POST : suspicious tag with event found in data
5.0.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
5.0.0
XSS - Prevention - POST : 'location' javascript object found in data
5.0.0
XSS - Prevention - POST : code allowing cookie access found in data
5.0.0
XSS - Prevention - POST : 'script' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'div' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'img' attribute found in data
5.0.0
XSS - Prevention - POST : suspicious 'meta' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'object' tag found in data
5.0.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
5.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2015-09-15 

 Target Type 
Client 

 Possible exploit 
Remote