DSA-3332-1 wordpress -- wordpressID: oval:org.secpod.oval:def:602199 | Date: (C)2015-08-28 (M)2022-09-22 |
Class: PATCH | Family: unix |
Several vulnerabilities have been fixed in Wordpress, the popular blogging engine. CVE-2015-2213 SQL Injection allowed a remote attacker to compromise the site. CVE-2015-5622 The robustness of the shortcodes HTML tags filter has been improved. The parsing is a bit more strict, which may affect your installation. This is the corrected version of the patch that needed to be reverted in DSA 3328-2. CVE-2015-4730 A potential timing side-channel attack in widgets. CVE-2015-5731 An attacker could lock a post that was being edited. CVE-2015-5732 Cross site scripting in a widget title allows an attacker to steal sensitive information. CVE-2015-5734 Fix some broken links in the legacy theme preview. The issues were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandà of the WordPress security team, Netanel Rubin of Check Point, Ivan Grigorov, Johannes Schmitt of Scrutinizer and Mohamed A. Baset.