Source: wordpress
Version: 6.8.1+dfsg1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 6.1.6+dfsg1-0+deb12u1
Control: found -1 5.7.11+dfsg1-0+deb11u1
Hi,
The following vulnerabilities were published for wordpress.
CVE-2025-58674[0]:
| Improper Neutralization of Input During Web Page Generation ('Cross-
| site Scripting') vulnerability in WordPress allows Stored XSS.
| WordPress core security team is aware of the issue and working on a
| fix. This is low severity vulnerability that requires an attacker to
| have Author or higher user privileges to execute the attack
| vector.This issue affects WordPress: from 6.8 through 6.8.2, from
| 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6,
| from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through
| 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9
| through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13,
| from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through
| 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1
| through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27,
| from 4.8 through 4.8.26, from 4.7 through 4.7.30.
CVE-2025-58246[1]:
| Insertion of Sensitive Information Into Sent Data vulnerability in
| WordPress allows Retrieve Embedded Sensitive Data. The WordPress
| Core security team is aware of the issue and is already working on a
| fix. This is a low-severity vulnerability. Contributor-level
| privileges required in order to exploit it. This issue affects
| WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6
| through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from
| 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8,
| from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through
| 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5
| through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19,
| from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through
| 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7
| through 4.7.30.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-58674
https://www.cve.org/CVERecord?id=CVE-2025-58674
[1] https://security-tracker.debian.org/tracker/CVE-2025-58246
https://www.cve.org/CVERecord?id=CVE-2025-58246
Regards,
Salvatore
