WordPress Multiple Vulnerabilities Fixed by 4.4.2


Description   (#Several vulnerabilities have been identified in WordPress:#- CVE-2016-2222: server-side request forgery for for certain local URIs. An attacker can exploit it by sending a specially crafted application request in order to perform several operations like scan and attack systems on the LAN or enumerate services on these systems##- CVE-2016-2221: open redirect. A remote attacker could exploit it by inciting their victims to follow a specially crafted link in order to redirect to a malicious website.##No further information is available.#Updated, 08/02/2016:#The wordpress packages provided by Debian Squeeze 6 are vulnerable.)
     
Vulnerable Products   Vulnerable OS:
Fedora (Red Hat) - 22, 23FreeBSD (FreeBSD) - AllGNU/Linux (Debian) - 6, 7, 8Vulnerable Software:
WordPress (WordPress) -
     
Solution   Fixed de-wordpress, ja-wordpress, ru-wordpress, wordpress, zh-wordpress-zh_CN and zh-wordpress-zh_TW packages for FreeBSD are available.
     
CVE   CVE-2016-2222
CVE-2016-2221
     
References   -WordPress : WordPress 4.4.2 Security and Maintenance Release
https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/
- Debian Security Tracker : wordpress
https://security-tracker.debian.org/tracker/CVE-2016-2221
https://security-tracker.debian.org/tracker/CVE-2016-2222
- DSA 3472-1 : wordpress security update
https://lists.debian.org/debian-security-announce/2016/msg00042.html
- DLA 418-1 : wordpress security update
https://lists.debian.org/debian-lts-announce/2016/02/msg00010.html
- FEDORA : Fedora 23 Update: wordpress-4.4.2-1.fc23
https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177236.html
- FEDORA-2016-9 : Fedora 22 Update: wordpress-4.4.2-1.fc22
https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177286.html
- VuXML : wordpress -- multiple vulnerabilities
http://www.vuxml.org/freebsd/fef03980-e4c6-11e5-b2bd-002590263bf5.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Site with open redirect
4.0.0
     


 
 
 
 
 Risk level 
Moderate 

 Vulnerability First Public Report Date 
2016-02-02 

 Target Type 
Server 

 Possible exploit 
Remote