oss-sec: CVE request: WordPress 3.5.1 Maintenance and Security Release

oss-sec mailing list archives

CVE request: WordPress 3.5.1 Maintenance and Security Release

From: Henri Salo <henri () nerv fi>
Date: Fri, 25 Jan 2013 11:13:57 +0200

From http://wordpress.org/news/2013/01/wordpress-3-5-1/


WordPress 3.5.1 also addresses the following security issues:

- A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could 
potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was 
fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for 
reviewing our work.
- Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of 
the WordPress security team.
- A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with 
us on this, and for releasing Plupload 1.5.5 to address this issue.

--
Henri Salo

By Date By Thread

Current thread:

CVE request: WordPress 3.5.1 Maintenance and Security Release Henri Salo (Jan 25)
- Re: CVE request: WordPress 3.5.1 Maintenance and Security Release Kurt Seifried (Jan 26)
  - Re: CVE request: WordPress 3.5.1 Maintenance and Security Release Andrew Nacin (Jan 26)
    - Re: CVE request: WordPress 3.5.1 Maintenance and Security Release Kurt Seifried (Jan 29)