Hi Craig, On Mon, Nov 02, 2020 at 08:01:44AM +1100, Craig Small wrote: > Package: wordpress > Version: 5.5.1+dfsg1-2 > Severity: important > Tags: security > X-Debbugs-Cc: Debian Security Team <t...@security.debian.org> > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Wordpress versions less than 5.5.2 have the following security > vulnerabilities: > > CVE-2020-28039: Protected meta that could lead to arbitrary file deletion. > CVE-2020-28035: XML-RPC privilege escalation. > CVE-2020-28036: XML-RPC privilege escalation. > CVE-2020-28032: Hardening deserialization requests. > CVE-2020-28037: DoS attack could lead to RCE. > CVE-2020-28038: Stored XSS in post slugs. > CVE-2020-28033: Disable spam embeds from disabled sites on a multisite > network. > CVE-2020-28034: Cross-Site Scripting (XSS) via global variables. > CVE-2020-28040: CSRF attacks that change a theme's background image. > > Debian LTS have released 4.7.19 which fixes this already. > > I note the security tracker has these CVEs already.
And thanks for filling the BTS tracking bug! Regards, Salvatore
