Cross-site scripting (XSS) vulnerability in WordPress before 4.2.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the Author or Contributor role to place a crafted shortcode inside an HTML element, related to wp-includes/kses.php and wp-includes/shortcodes.php.

Versions of WordPress 3.7.x prior to 3.7.9 , 3.8.x prior to 3.8.9 , 3.9.x prior to 3.9.7 , 4.1.x prior to 4.1.6 , and 4.2.x prior to 4.2.3 are susceptible to the following vulnerabilities : 

 - A cross-site scripting (XSS) vulnerability exists due to a flaw in the Shortcode API in which shortcodes embedded in HTML tags are not properly handled before returning the input to the users. A remote, authenticated attacker can exploit this by using a crafted request to execute arbitrary code in the user's browser session.
 - An unspecified vulnerability exists due to a flaw in Quick Draft, which can allow an unauthorized, remote user to create arbitrary drafts.

Several vulnerabilities were discovered in Wordpress, a web blogging tool. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2015-2213     SQL Injection allowed a remote attacker to compromise     the site.

  - CVE-2015-5622     The robustness of the shortcodes HTML tags filter has     been improved. The parsing is a bit more strict, which     may affect your installation.

  - CVE-2015-5714     A cross-site scripting vulnerability when processing     shortcode tags.

  - CVE-2015-5715     A vulnerability has been discovered, allowing users     without proper permissions to publish private posts and     make them sticky.

  - CVE-2015-5731     An attacker could lock a post that was being edited.

  - CVE-2015-5732     Cross-site scripting in a widget title allows an     attacker to steal sensitive information.

  - CVE-2015-5734     Fix some broken links in the legacy theme preview.

  - CVE-2015-7989     A cross-site scripting vulnerability in user list     tables.

Several vulnerabilities have been fixed in Wordpress, the popular blogging engine.

CVE-2015-2213

SQL Injection allowed a remote attacker to compromise the site.

CVE-2015-5622

The robustness of the shortcodes HTML tags filter has been improved.
The parsing is a bit more strict, which may affect your installation.
This is the corrected version of the patch that needed to be reverted in DSA 3328-2.

CVE-2015-5731

An attacker could lock a post that was being edited.

CVE-2015-5732

Cross site scripting in a widget title allows an attacker to steal sensitive information.

CVE-2015-5734

Fix some broken links in the legacy theme preview.

The issues were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sand&iacute; of the WordPress security team, Netanel Rubin of Check Point, Ivan Grigorov, Johannes Schmitt of Scrutinizer and Mohamed A. Baset.

We recommend that you upgrade your wordpress packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

**WordPress 4.2.4 Security and Maintenance Release**

WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandi of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.4 also fixes four bugs. For more information, see: the release notes or consult the list of changes.

  - the release notes:
    https://codex.wordpress.org/Version_4.2.4

    - the list of changes:
      https://core.trac.wordpress.org/log/branches/4.2?rev=3       3573&stop_rev=33396

**WordPress 4.2.3 Security and Maintenance Release**

WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnonen.

We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see :

  - the release notes:
    https://codex.wordpress.org/Version_4.2.3

    - the list of changes:
      https://core.trac.wordpress.org/log/branches/4.2?rev=3       3382&stop_rev=32430

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been fixed in Wordpress, the popular blogging engine.

  - CVE-2015-2213     SQL Injection allowed a remote attacker to compromise     the site.

  - CVE-2015-5622     The robustness of the shortcodes HTML tags filter has     been improved. The parsing is a bit more strict, which     may affect your installation. This is the corrected     version of the patch that needed to be reverted in DSA     3328-2.

  - CVE-2015-5730     A potential timing side-channel attack in widgets.

  - CVE-2015-5731     An attacker could lock a post that was being edited.

  - CVE-2015-5732     Cross site scripting in a widget title allows an     attacker to steal sensitive information.

  - CVE-2015-5734     Fix some broken links in the legacy theme preview.

The issues were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandi of the WordPress security team, Netanel Rubin of Check Point, Ivan Grigorov, Johannes Schmitt of Scrutinizer and Mohamed A.
Baset.

Several vulnerabilities have been found in Wordpress, the popular blogging engine.

  - CVE-2015-3429     The file example.html in the Genericicons icon font     package and twentyfifteen Wordpress theme allowed for     cross site scripting.

  - CVE-2015-5622     The robustness of the shortcodes HTML tags filter has     been improved. The parsing is a bit more strict, which     may affect your installation.

  - CVE-2015-5623     A cross site scripting vulnerability allowed users with     the Contributor or Author role to elevate their     privileges.

The oldstable distribution (wheezy) is only affected by CVE-2015-5622.
This less critical issue will be fixed at a later time.

According to its version number, the WordPress application running on the remote web server is either version 3.7.x prior to 3.7.9, 3.8.x prior to 3.8.9, 3.9.x prior to 3.9.7, 4.1.x prior to 4.1.6, or 4.2.x prior to 4.2.3. It is, therefore, potentially affected by the following vulnerabilities :

  - A cross-site scripting (XSS) vulnerability exists due to     a flaw in the Shortcode API in which shortcodes embedded     in HTML tags are not properly handled before returning     the input to the users. A remote, authenticated attacker     can exploit this by using a crafted request to execute     arbitrary code in the user's browser session.
    (CVE-2015-5622)

  - An unspecified vulnerability exists due to a flaw in     Quick Draft, which can allow an unauthorized, remote     user to create arbitrary drafts. (CVE-2015-5623)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Gary Pendergast reports :

WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team.

ID	Name	Product	Family	Severity
9030	WordPress < 3.7.9 / 3.8.x < 3.8.9 / 3.9.x < 3.9.7 / 4.1.x < 4.1.6 / 4.2.x < 4.2.3 Multiple Vulnerabilities	Nessus Network Monitor	CGI	low
86666	Debian DSA-3383-1 : wordpress - security update	Nessus	Debian Local Security Checks	medium
85546	Debian DLA-294-1 : wordpress security update	Nessus	Debian Local Security Checks	high
85390	Fedora 22 : wordpress-4.2.4-1.fc22 (2015-12235)	Nessus	Fedora Local Security Checks	high
85389	Fedora 21 : wordpress-4.2.4-1.fc21 (2015-12148)	Nessus	Fedora Local Security Checks	high
85355	Debian DSA-3332-1 : wordpress - security update	Nessus	Debian Local Security Checks	high
85352	Debian DSA-3328-1 : wordpress - security update	Nessus	Debian Local Security Checks	medium
85082	WordPress < 3.7.9 / 3.8.9 / 3.9.7 / 4.1.6 / 4.2.3 Multiple Vulnerabilities	Nessus	CGI abuses	medium
84973	FreeBSD : wordpress -- XSS vulnerability (c80b27a2-3165-11e5-8a1d-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	medium

Detections

Analytics

CVE-2015-5622

medium

Tenable Plugins

low

medium

high

high

high

high

medium

medium

medium