Package: wordpress Version: 6.5+dfsg1-1 Severity: important Tags: security X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
In WordPress < 6.5.2 there is a stored XSS in the Avatar block. You have to have certain things enabled for it to work so it won't impact everyone. References: https://wpscan.com/blog/unauthenticated-stored-xss-fixed-in-wordpress-core/ https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/ https://wpscan.com/vulnerability/1a5c5df1-57ee-4190-a336-b0266962078f/ -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.6.15-amd64 (SMP w/12 CPU threads; PREEMPT) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages wordpress depends on: pn apache2 | httpd <none> ii ca-certificates 20240203 pn default-mysql-client | virtual-mysql-c <none> lient pn libapache2-mod-php | php <none> pn libjs-cropper <none> ii libjs-lodash 4.17.21+dfsg+~cs8.31.198.20210220-9 ii libjs-underscore 1.13.4~dfsg+~1.11.4-3 pn php-gd <none> pn php-getid3 <none> pn php-mysql | php-mysqlnd <none> Versions of packages wordpress recommends: pn wordpress-l10n <none> pn wordpress-theme-twentytwentythree <none> Versions of packages wordpress suggests: pn default-mysql-server | virtual-mysql-server <none> pn php-curl <none> pn php-imagick <none> pn php-mbstring <none> pn php-ssh2 <none> pn php-xml <none> pn php-zip <none>