FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

wordpress -- multiple issues

Affected packages
fr-wordpress < 5.2.4,1
wordpress < 5.2.4,1
de-wordpress < 5.2.4
ja-wordpress < 5.2.4
ru-wordpress < 5.2.4
zh_CN-wordpress < 5.2.4
zh_TW-wordpress < 5.2.4


VuXML ID 459df1ba-051c-11ea-9673-4c72b94353b5
Discovery 2019-10-14
Entry 2019-11-12

wordpress developers reports:

Props to Evan Ricafort for finding an issue where stored XSS (cross-site scripting) could be added via the Customizer.

rops to J.D. Grimes who found and disclosed a method of viewing unauthenticated posts.

Props to Weston Ruter for finding a way to create a stored XSS to inject Javascript into style tags.

rops to David Newman for highlighting a method to poison the cache of JSON GET requests via the Vary: Origin header.

Props to Eugene Kolodenker who found a server-side request forgery in the way that URLs are validated.

Props to Ben Bidner of the WordPress Security Team who discovered issues related to referrer validation in the admin.