Package: wordpress Version: 4.5.1 Severity: important Tags: security upstream
Wordpress 4.2 to 4.5.1 has a XSS vulnerability in Plupload and mediaelement. I haven't yet done the analysis to see if we are fully vulnerable (some mediaelement items are removed due to DFSG problems) but most likely it is. No CVE items as yet from what I can tell. Given this problem was introduced in 4.2 then jessie and wheezy should not be impacted. I'll have a look at them in case they no longer care about such old versions. They mention an imagemagick problem too, but sounds more about the library. Cannot find a DSA about it though. https://wordpress.org/news/2016/05/wordpress-4-5-2/ -- System Information: Debian Release: stretch/sid Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-1-amd64 (SMP w/6 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages wordpress depends on: pn apache2 | httpd <none> ii ca-certificates 20160104 ii libjs-cropper 1.2.2-1 ii libphp-phpmailer 5.2.14+dfsg-2 ii libphp-snoopy 2.0.0-1 ii mysql-client 5.6.28-1 ii php5 5.6.19+dfsg-2 pn php5-gd <none> ii php5-mysql 5.6.19+dfsg-2+b1 pn wordpress-theme-twentyfourteen <none> Versions of packages wordpress recommends: pn wordpress-l10n <none> pn wordpress-theme-twentytwelve <none> Versions of packages wordpress suggests: ii mysql-server 5.6.28-1
