Fedora 21 : wordpress-4.2.4-1.fc21 (2015-12148)

high Nessus Plugin ID 85389

Synopsis

The remote Fedora host is missing a security update.

Description

**WordPress 4.2.4 Security and Maintenance Release**

WordPress 4.2.4 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site, which were discovered by Marc-Alexandre Montpas of Sucuri, Helen Hou-Sandi of the WordPress security team, Netanel Rubin of Check Point, and Ivan Grigorov. It also includes a fix for a potential timing side-channel attack, discovered by Johannes Schmitt of Scrutinizer, and prevents an attacker from locking a post from being edited, discovered by Mohamed A. Baset.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.4 also fixes four bugs. For more information, see: the release notes or consult the list of changes.

- the release notes:
https://codex.wordpress.org/Version_4.2.4

- the list of changes:
https://core.trac.wordpress.org/log/branches/4.2?rev=3 3573&stop_rev=33396

**WordPress 4.2.3 Security and Maintenance Release**

WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnonen.

We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.

Our thanks to those who have practiced responsible disclosure of security issues.

WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see :

- the release notes:
https://codex.wordpress.org/Version_4.2.3

- the list of changes:
https://core.trac.wordpress.org/log/branches/4.2?rev=3 3382&stop_rev=32430

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected wordpress package.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=1246396

https://bugzilla.redhat.com/show_bug.cgi?id=1250583

https://codex.wordpress.org/Version_4.2.3

https://codex.wordpress.org/Version_4.2.4

http://www.nessus.org/u?c694e2e5

http://www.nessus.org/u?661d9776

http://www.nessus.org/u?9af9c336

Plugin Details

Severity: High

ID: 85389

File Name: fedora_2015-12148.nasl

Version: 2.8

Type: local

Agent: unix

Published: 8/14/2015

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:wordpress, cpe:/o:fedoraproject:fedora:21

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 7/29/2015

Reference Information

CVE: CVE-2015-2213, CVE-2015-5622, CVE-2015-5623, CVE-2015-5730, CVE-2015-5731, CVE-2015-5732, CVE-2015-5733, CVE-2015-5734

FEDORA: 2015-12148