Home page logo

oss-sec logo oss-sec mailing list archives

Security vulnerabilities fixed in WordPress 3.3.2
From: Henri Salo <henri () nerv fi>
Date: Mon, 23 Apr 2012 11:05:21 +0300

Page http://codex.wordpress.org/Version_3.3.2 says:

Three external libraries included in WordPress received security updates:

- Plupload (version 1.5.4), which WordPress uses for uploading media.
- SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins.
- SWFObject, which WordPress previously used to embed Flash content, and may still be in use by plugins and themes.

WordPress 3.3.2 also addresses:

- Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a 
WordPress network under particular circumstances.
- Cross-site scripting vulnerability when making URLs clickable.
- Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.

A full log of the changes made for 3.3.2 can be found at 

I asked from WordPress if these vulnerabilities already have CVE-identifiers and reported these to OSVDB, Secunia and 
Debian http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670124

- Henri Salo

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]