Source: wordpress Version: 4.7.2 Severity: grave Tags: upstream security Justification: user security hole
There are six security issues with wordpress 4.7.2 that wordpress 4.7.3 fixes. * Cross-site scripting (XSS) via media file metadata. Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs. 3.6.0 - 4.7.2 https://github.com/WordPress/WordPress/commit/28f838ca3ee205b6f39cd2bf23eb4e5f52796bd7 * Control characters can trick redirect URL validation. Reported by Daniel Chatfield. 2.8.1 - 4.7.2 https://github.com/WordPress/WordPress/commit/288cd469396cfe7055972b457eb589cea51ce40e * Unintended files can be deleted by administrators using the plugin deletion functionality. Reported by xuliang. 4.7.0 - 4.7.2 https://github.com/WordPress/WordPress/commit/4d80f8b3e1b00a3edcee0774dc9c2f4c78f9e663 * Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by Marc Montpas. 4.0 - 4.7.2 https://github.com/WordPress/WordPress/commit/419c8d97ce8df7d5004ee0b566bc5e095f0a6ca8 * Cross-site scripting (XSS) via taxonomy term names. Reported by Delta. 4.7 - 4.7.2 no patch supplied * Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Reported by Sipke Mellema. 4,2 - 4.7.2 https://github.com/WordPress/WordPress/commit/263831a72d08556bc2f3a328673d95301a152829 -- System Information: Debian Release: 9.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/6 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
