[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Re: Possible CVE Request: Wordpress 4.1.2 security release
From: Hanno =?UTF-8?B?QsO2Y2s=?= <hanno () hboeck ! de>
Date: 2015-04-28 20:40:28
Message-ID: 20150428224028.135546dc () pc1 ! fritz ! box
[Download RAW message or body]
On Tue, 28 Apr 2015 15:27:03 -0400 (EDT)
cve-assign@mitre.org wrote:
> > https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_query_arg-usage/
>
> > Due to a now-fixed ambiguity in the documentation for the
> > add_query_arg() and remove_query_arg() functions, many plugins were
> > using them incorrectly, allowing for potential XSS attack vectors in
> > their code.
>
> We feel that this documentation ambiguity isn't necessarily a
> vulnerability in the WordPress product itself. There seems to be
> related documentation of add_query_arg within the
> wp-includes/functions.php file. If the vendor decides to change the
> documentation at
> https://core.trac.wordpress.org/browser/trunk/src/wp-includes/functions.php
> and wants a CVE ID for that, then we would assign one.
I think the issues here are vulnerabilities in plugins.
Sources:
https://scrutinizer-ci.com/blog/php-security-analysis-finds-xss-vulnerability-in-popular-wordpress-plugins
https://yoast.com/coordinated-security-release/
https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
The sucuri blog post lists a whole number of affected plugins. Maybe at
least the more popular ones (jetpack, wordpress seo, google analytics
by yoast, all in one seo) should get their own CVEs.
--
Hanno Böck
http://hboeck.de/
mail/jabber: hanno@hboeck.de
GPG: BBB51E42
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic