[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Re: Possible CVE Request: Wordpress 4.1.2 security release
From:       Hanno =?UTF-8?B?QsO2Y2s=?= <hanno () hboeck ! de>
Date:       2015-04-28 20:40:28
Message-ID: 20150428224028.135546dc () pc1 ! fritz ! box
[Download RAW message or body]


On Tue, 28 Apr 2015 15:27:03 -0400 (EDT)
cve-assign@mitre.org wrote:

> > https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_query_arg-usage/
> 
> > Due to a now-fixed ambiguity in the documentation for the
> > add_query_arg() and remove_query_arg() functions, many plugins were
> > using them incorrectly, allowing for potential XSS attack vectors in
> > their code.
> 
> We feel that this documentation ambiguity isn't necessarily a
> vulnerability in the WordPress product itself. There seems to be
> related documentation of add_query_arg within the
> wp-includes/functions.php file. If the vendor decides to change the
> documentation at
> https://core.trac.wordpress.org/browser/trunk/src/wp-includes/functions.php
> and wants a CVE ID for that, then we would assign one.

I think the issues here are vulnerabilities in plugins.

Sources:
https://scrutinizer-ci.com/blog/php-security-analysis-finds-xss-vulnerability-in-popular-wordpress-plugins
https://yoast.com/coordinated-security-release/
https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html

The sucuri blog post lists a whole number of affected plugins. Maybe at
least the more popular ones (jetpack, wordpress seo, google analytics
by yoast, all in one seo) should get their own CVEs.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]