[SECURITY] [DLA 2269-1] wordpress security update
-----BEGIN PGP SIGNED MESSAGE-----
Package : wordpress
Version : 4.1.31+dfsg-0+deb8u1
CVE ID : CVE-2020-4046 CVE-2020-4047 CVE-2020-4048
Debian Bug : 962685
Several vulnerabilities were discovered in Wordpress, a web
blogging tool. They allowed remote attackers to perform
various Cross-Side Scripting (XSS) attacks, create open
redirects, escalate privileges, and bypass authorization
In affected versions of WordPress, users with low
privileges (like contributors and authors) can use the
embed block in a certain way to inject unfiltered HTML
in the block editor. When affected posts are viewed by a
higher privileged user, this could lead to script
execution in the editor/wp-admin.
In affected versions of WordPress, authenticated users with
upload permissions (like authors) are able to inject
way. This can lead to script execution in the context of a
higher privileged user when the file is viewed by them.
In affected versions of WordPress, due to an issue in
wp_validate_redirect() and URL sanitization, an arbitrary
external link can be crafted leading to unintended/open
redirect when clicked.
In affected versions of WordPress, when uploading themes, the
name of the theme folder can be crafted in a way that could
This does require an admin to upload the theme, and is low
In affected versions of WordPress, misuse of the
`set-screen-option` filter's return value allows arbitrary
user meta fields to be saved. It does require an admin to
install a plugin that would misuse the filter. Once installed,
it can be leveraged by low privileged users.
For Debian 8 "Jessie", these problems have been fixed in version
We recommend that you upgrade your wordpress packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----