[SECURITY] [DLA 4358-1] wordpress security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4358-1] wordpress security update
From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date: Mon, 3 Nov 2025 09:57:05 +0100
Message-id: <[🔎] CAPP0f94ieNpDNzOOVJSyKX87j2zdVDBPmJ7zQiPJvKB77FW0rQ@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-4358-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
November 02, 2025                           https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : wordpress
Version        : 5.7.14+dfsg1-0+deb11u1
CVE ID         : CVE-2024-6307 CVE-2024-31111 CVE-2025-58246
                 CVE-2025-58674
Debian Bug     : 1074486 1117047

Several security vulnerabilities have been discovered in Wordpress,
a popular content management framework.

CVE-2024-6307

    WordPress Core is vulnerable to stored Cross-Site Scripting via
    the HTML API due to insufficient input sanitization and output
    escaping on URLs. This makes it possible for authenticated
    attackers, with contributor-level access and above, to inject
    arbitrary web scripts in pages that will execute whenever a user
    accesses an injected page.

CVE-2024-31111

    Improper neutralization of input during web gage generation (XSS or
    "Cross-site Scripting") vulnerability in Automattic WordPress allows
    Stored XSS.

CVE-2025-58246

    Insertion of sensitive information into sent data vulnerability in
    WordPress allows retrieval of embedded sensitive data.

CVE-2025-58674

    Improper neutralization of input during web page generation
    ("Cross-site Scripting") vulnerability in WordPress allows
    Stored XSS.

For Debian 11 bullseye, these problems have been fixed in version
5.7.14+dfsg1-0+deb11u1.

We recommend that you upgrade your wordpress packages.

For the detailed security status of wordpress please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wordpress

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmkIbj8ACgkQgj6WdgbD
S5YDXQ//XGBlkhNZ8kkFqq9CFR15abMhHp6f0WO+MCqtSRE5hBoPLPaCuHI2oDIY
D4nc4kscD3jalREti1DehdVCzUIRwVKZqkScbxuZBGW8p6k4FZOkW98mu8QMnf4n
bwEvYUJ7DLx226r0R+ur8FwwEeSHM/uSC5pqrXXwXG4u1eZRLB6cqV0N4cSXyZo7
q3MvCTMmiVnnzpPxsuZrT2MXcFgjbzv2ztsX72AWydoUpduZpiccSSPE6T4AeOFl
KCgXVSUPeRfVw1UBIElDjqBNfQy89UY7GD7e2YXrU1hbHX/DhvxANDnbHZ6M/C59
UPHJsRnahmOQOFs6UV8sH6j4FODpgcZc7C5x2D7yHOl27VL+UkHbszLmkOAtjSgU
cJSnqcG8f4wYroYtHwMQTRlVlWrTluQ4REyLO6i0PkRpTd7HZQ9F2fwkpx+cx/mb
JxOWFPzZVdwKKGb974yeG5jpMTsWVTnWlk0sImurB7nny64k/9PTFE/1hJA06yl3
50o6aAct1AYBGhsUTNABRKJlwjwZiufU2cbmEqCRWiGmCQmqPn2DI/DzfMYDpwUo
qorae/4KVYXW4/zEHBalrf66j388PVzmI+TCIPRFuYCilmDkdmNP0c8Ki21hPEqr
Qrahqs/vZ3lo3HSwdtIFsqKs4HBgN75xAlmZ2xvg/ZITLHM6g0o=
=uQu4
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4357-1] ruby-rack security update
Next by Date: [SECURITY] [DLA 4359-1] strongswan security update
Previous by thread: [SECURITY] [DLA 4357-1] ruby-rack security update
Next by thread: [SECURITY] [DLA 4359-1] strongswan security update
Index(es):
- Date
- Thread