FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

wordpress -- multiple issues

Affected packages
fr-wordpress < 5.2.4,1
wordpress < 5.2.4,1
de-wordpress < 5.2.4
ja-wordpress < 5.2.4
ru-wordpress < 5.2.4
zh_CN-wordpress < 5.2.4
zh_TW-wordpress < 5.2.4

Details

VuXML ID 459df1ba-051c-11ea-9673-4c72b94353b5
Discovery 2019-10-14
Entry 2019-11-12

wordpress developers reports:

Props to Evan Ricafort for finding an issue where stored XSS (cross-site scripting) could be added via the Customizer.

rops to J.D. Grimes who found and disclosed a method of viewing unauthenticated posts.

Props to Weston Ruter for finding a way to create a stored XSS to inject Javascript into style tags.

rops to David Newman for highlighting a method to poison the cache of JSON GET requests via the Vary: Origin header.

Props to Eugene Kolodenker who found a server-side request forgery in the way that URLs are validated.

Props to Ben Bidner of the WordPress Security Team who discovered issues related to referrer validation in the admin.

References

URL https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/