Fedora 37 : wordpress (2022-245db0c060)

high Nessus Plugin ID 211016

Synopsis

The remote Fedora host is missing one or more security updates.

Description

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2022-245db0c060 advisory.

Upstream announcement: [WordPress 6.1 Misha](https://wordpress.org/news/2022/11/misha/)

----

**WordPress 6.0.3 Security Release**

Security updates included in this release

* Stored XSS via wp-mail.php (post by email) Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
* Open redirect in `wp_nonce_ays` devrayn
* Senders email address is exposed in wp-mail.php Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
* Media Library Reflected XSS via SQLi Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
* CSRF in wp-trackback.php Simon Scannell
* Stored XSS via the Customizer Alex Concha from the WordPress security team
* Revert shared user instances introduced in 50790 Alex Concha and Ben Bidner from the WordPress security team
* Stored XSS in WordPress Core via Comment Editing Third-party security audit and Alex Concha from the WordPress security team
* Data exposure via the REST Terms/Tags Endpoint Than Taintor
* Content from multipart emails leaked Thomas Krftner
* SQL Injection due to improper sanitization in `WP_Date_Query` Michael Mazzolini
* RSS Widget: Stored XSS issue Third-party security audit
* Stored XSS in the search block Alex Concha of the WP Security team
* Feature Image Block: XSS issue Third-party security audit
* RSS Block: Stored XSS issue Third-party security audit
* Fix widget block XSS Third-party security audit


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected wordpress package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2022-245db0c060

Plugin Details

Severity: High

ID: 211016

File Name: fedora_2022-245db0c060.nasl

Version: 1.1

Type: local

Agent: unix

Published: 11/14/2024

Updated: 11/14/2024

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:wordpress, cpe:/o:fedoraproject:fedora:37

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/2/2022

Vulnerability Publication Date: 11/2/2022

Reference Information