WordPress 4.0.1 Security Release

See: https://wordpress.org/news/2014/11/wordpress-4-0-1/

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated wordpress package fixes security vulnerabilities :

XSS in wptexturize() via comments or posts, exploitable for unauthenticated users (CVE-2014-9031).

XSS in media playlists (CVE-2014-9032).

CSRF in the password reset process (CVE-2014-9033).

Denial of service for giant passwords. The phpass library by Solar Designer was used in both projects without setting a maximum password length, which can lead to CPU exhaustion upon hashing (CVE-2014-9034).

XSS in Press This (CVE-2014-9035).

XSS in HTML filtering of CSS in posts (CVE-2014-9036).

Hash comparison vulnerability in old-style MD5-stored passwords (CVE-2014-9037).

SSRF: Safe HTTP requests did not sufficiently block the loopback IP address space (CVE-2014-9038).

Previously an email address change would not invalidate a previous password reset email (CVE-2014-9039).

According to its version number, the WordPress application installed on the remote web server is affected by multiple vulnerabilities :

  - Multiple unspecified errors exist that could allow     cross-site scripting attacks.

  - An unspecified error exists that could allow cross-site     request forgery attacks.

  - An error exists related to password handling that could     allow denial of service attacks.

  - An unspecified error exists that could allow server-side     request forgery attacks.

  - A hash collision error exists that could allow a user     account to be compromised.

  - An error exists related to password reset processing     that could allow a user account to be compromised.

  - An error exists related to the post or page comment     field that could allow persistent cross-site scripting     attacks.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

In the Debian squeeze-lts version of Wordpress, multiple security issues have been fixed :

Remote attackers could...

  - ... upload files with invalid or unsafe names

  - ... mount social engineering attacks

  - ... compromise a site via cross-site scripting

  - ... inject SQL commands

  - ... cause denial of service or information disclosure

CVE-2014-9031

Jouko Pynnonen discovered an unauthenticated cross site scripting vulnerability (XSS) in wptexturize(), exploitable via comments or posts.

CVE-2014-9033

Cross site request forgery (CSRF) vulnerability in the password changing process, which could be used by an attacker to trick an user into changing her password.

CVE-2014-9034

Javier Nieto Arevalo and Andres Rojas Guerrero reported a potential denial of service in the way the phpass library is used to handle passwords, since no maximum password length was set.

CVE-2014-9035

John Blackbourn reported an XSS in the 'Press This' function (used for quick publishing using a browser 'bookmarklet').

CVE-2014-9036

Robert Chapin reported an XSS in the HTML filtering of CSS in posts.

CVE-2014-9037

David Anderson reported a hash comparison vulnerability for passwords stored using the old-style MD5 scheme. While unlikely, this could be exploited to compromise an account, if the user had not logged in after a Wordpress 2.5 update (uploaded to Debian on 2 Apr, 2008) and the password MD5 hash could be collided with due to PHP dynamic comparison.

CVE-2014-9038

Ben Bidner reported a server side request forgery (SSRF) in the core HTTP layer which unsufficiently blocked the loopback IP address space.

CVE-2014-9039

Momen Bassel, Tanoy Bose, and Bojan Slavkovic reported a vulnerability in the password reset process: an email address change would not invalidate a previous password reset email.

CVE-2015-3438

Cedric Van Bockhaven reported and Gary Pendergast, Mike Adams, and Andrew Nacin of the WordPress security team fixed a cross-site-scripting vulnerabilitity, which could enable anonymous users to compromise a site. 

CVE-2015-3439

Jakub Zoczek discovered a very limited cross-site scripting vulnerability, that could be used as part of a social engineering attack.

CVE-2015-3440

Jouko Pynn&ouml;nen discovered a cross-site scripting vulnerability, which could enable commenters to compromise a site.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

MITRE reports :

wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message.

wp-includes/http.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to conduct server-side request forgery (SSRF) attacks by referring to a 127.0.0.0/8 resource.

WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to obtain access to an account idle since 2008 by leveraging an improper PHP dynamic type comparison for an MD5 hash.

Cross-site scripting (XSS) vulnerability in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted Cascading Style Sheets (CSS) token sequence in a post.

Cross-site scripting (XSS) vulnerability in Press This in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors

wp-includes/class-phpass.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 allows remote attackers to cause a denial of service (CPU consumption) via a long password that is improperly handled during hashing, a similar issue to CVE-2014-9016.

Cross-site request forgery (CSRF) vulnerability in wp-login.php in WordPress 3.7.4, 3.8.4, 3.9.2, and 4.0 allows remote attackers to hijack the authentication of arbitrary users for requests that reset passwords.

Multiple security issues have been discovered in Wordpress, a web blogging tool, resulting in denial of service or information disclosure. More information can be found in the upstream advisory at

  - CVE-2014-9031     Jouko Pynnonen discovered an unauthenticated cross site     scripting vulnerability (XSS) in wptexturize(),     exploitable via comments or posts.

  - CVE-2014-9033     Cross site request forgery (CSRF) vulnerability in the     password changing process, which could be used by an     attacker to trick an user into changing her password.

  - CVE-2014-9034     Javier Nieto Arevalo and Andres Rojas Guerrero reported     a potential denial of service in the way the phpass     library is used to handle passwords, since no maximum     password length was set.

  - CVE-2014-9035     John Blackbourn reported an XSS in the 'Press This'     function (used for quick publishing using a browser     'bookmarklet').

  - CVE-2014-9036     Robert Chapin reported an XSS in the HTML filtering of     CSS in posts.

  - CVE-2014-9037     David Anderson reported a hash comparison vulnerability     for passwords stored using the old-style MD5 scheme.
    While unlikely, this could be exploited to compromise an     account, if the user had not logged in after a Wordpress     2.5 update (uploaded to Debian on 2 Apr, 2008) and the     password MD5 hash could be collided with due to PHP     dynamic comparison.

  - CVE-2014-9038     Ben Bidner reported a server side request forgery (SSRF)     in the core HTTP layer which unsufficiently blocked the     loopback IP address space.

  - CVE-2014-9039     Momen Bassel, Tanoy Bose, and Bojan Slavkovic reported a     vulnerability in the password reset process: an email     address change would not invalidate a previous password     reset email.

Versions of WordPress 3.7 prior to 3.7.5, 3.8.x prior to 3.8.5, 3.9.x prior to 3.9.3, and 4.x prior to 4.0.1 are susceptible to the following vulnerabilities : 

  - Three cross-site scripting issues that a contributor or author could use to compromise a site. (CVE-2014-9032, CVE-2014-9035, CVE-2014-9036)

  - A cross-site request forgery that could be used to trick a user into changing their password.(CVE-2014-9039)

  - An issue that could lead to a denial of service when passwords are checked. (CVE-2014-9034)

  - Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. (CVE-2014-9033)

  - An extremely unlikely hash collision could allow a user's account to be compromised, that also required that they haven't logged in since 2008. (CVE-2014-9037)

  - WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. (CVE-2014-9039)

  - WordPress versions 3.9.2 and earlier are affected by a cross-site scripting vulnerability which could enable an anonymous user to compromise the site. (CVE-2014-9031)

ID	Name	Product	Family	Published	Updated	Severity
79678	Fedora 19 : wordpress-4.0.1-1.fc19 (2014-15526)	Nessus	Fedora Local Security Checks	12/3/2014	1/11/2021	medium
79613	Mandriva Linux Security Advisory : wordpress (MDVSA-2014:233)	Nessus	Mandriva Local Security Checks	11/28/2014	1/6/2021	medium
79437	WordPress < 3.7.5 / 3.8.5 / 3.9.3 / 4.0.1 Multiple Vulnerabilities	Nessus	CGI abuses	11/25/2014	6/5/2024	medium
79674	Fedora 20 : wordpress-4.0.1-1.fc20 (2014-15507)	Nessus	Fedora Local Security Checks	12/3/2014	1/11/2021	medium
83918	Debian DLA-236-1 : wordpress security update	Nessus	Debian Local Security Checks	6/2/2015	1/11/2021	medium
80350	FreeBSD : wordpress -- multiple vulnerabilities (5e135178-8aeb-11e4-801f-0022156e8794)	Nessus	FreeBSD Local Security Checks	1/5/2015	1/6/2021	medium
79774	Fedora 21 : wordpress-4.0.1-1.fc21 (2014-15560)	Nessus	Fedora Local Security Checks	12/7/2014	1/11/2021	medium
79696	Debian DSA-3085-1 : wordpress - security update	Nessus	Debian Local Security Checks	12/4/2014	1/11/2021	medium
8584	WordPress 3.7 < 3.7.5 / 3.8 < 3.8.5 / 3.9 < 3.9.3 / 4.x < 4.0.1 Multiple Vulnerabilities	Nessus Network Monitor	CGI	3/12/2015	3/6/2019	high

Detections

Analytics

Plugins Search

medium

medium

medium

medium

medium

medium

medium

medium

high