Debian DLA-2429: WordPress Fixes 9 CVEs Including RCE, XSS, and Privilege Escalation

Critical Vulnerability Information Debian LTS Advisory: DLA-2429-1 Package and Version Package: wordpress Version: 4.7.19+dfsg-1+deb9u1 CVE IDs CVE ID: CVE-2020-28032, CVE-2020-28033, CVE-2020-28034, CVE-2020-28035, CVE-2020-28036, CVE-2020-28037, CVE-2020-28038, CVE-2020-28039, CVE-2020-28040 Vulnerability Description CVE-2020-28032: WordPress versions prior to 4.7.19 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php. CVE-2020-28033: WordPress versions prior to 4.7.19 mishandles embeds from disabled sites on a multisite network, potentially leading to spam embeds. CVE-2020-28034: WordPress versions prior to 4.7.19 allows XSS associated with global variables. CVE-2020-28035: WordPress versions prior to 4.7.19 allows attackers to gain privileges via XML-RPC. CVE-2020-28036: wp-includes/class-wp-xmlrpc-server.php in WordPress versions prior to 4.7.19 allows attackers to gain privileges by using XML-RPC to comment on a post. CVE-2020-28037: is_blog_installed in wp-includes/functions.php in WordPress versions prior to 4.7.19 improperly determines whether WordPress is already installed, potentially allowing attackers to execute remote code. CVE-2020-28038: WordPress versions prior to 4.7.19 allows stored XSS via post slugs. CVE-2020-28039: is_protected_meta in wp-includes/meta.php in WordPress versions prior to 4.7.19 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected. CVE-2020-28040: WordPress versions prior to 4.7.19 allows CSRF attacks that change a theme's background image. Remediation Advice For Debian 9 stretch, these issues have been fixed in version 4.7.19+dfsg-1+deb9u1. It is recommended to upgrade the WordPress package to resolve these security issues.

Goal Reached Thanks to every supporter — we hit 100%!

Debian DLA-2429: WordPress Fixes 9 CVEs Including RCE, XSS, and Privilege Escalation