Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2015.0074
A number of vulnerabilities have been identified in WordPress
24 July 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: WordPress
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
Member content until: Sunday, August 23 2015
OVERVIEW
A number of vulnerabilities have been identified in WordPress prior
to version 4.2.3. [1]
IMPACT
The vendor has provided the following details regarding these
issues:
"This is a security release for all previous versions and we
strongly encourage you to update your sites immediately.
WordPress versions 4.2.2 and earlier are affected by a cross-site
scripting vulnerability, which could allow users with the
Contributor or Author role to compromise a site. This was initially
reported by Jon Cave and fixed by Robert Chapin, both of the
WordPress security team, and later reported by Jouko Pynnönen.
We also fixed an issue where it was possible for a user with
Subscriber permissions to create a draft through Quick Draft.
Reported by Netanel Rubin from Check Point Software Technologies." [1]
MITIGATION
The vendor recommends updating to the latest version of WordPress to
correct these issues. [1]
REFERENCES
[1] WordPress 4.2.3 Security and Maintenance Release
https://wordpress.org/news/2015/07/wordpress-4-2-3/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVbGEAX6ZAP0PgtI9AQJsxxAAlSslArRU9vwRgCnQFF6Wz+pigyoR8tP5
W7sj85jU1l5dBSjj3iJH3lo6KN8Q9mq2HIXU8QpNrBVxD88LJvmU4Ofiz0GzrRDA
qCO3sIZNC6Cj9a6wA8TICcw1EwGs8V4B0VS9u23th3E6ZmLhQXC+VpBA2lc8L8gH
1SMZOe6yFLVkuJ5JS6M/yrnGdHPBCFOo6d1peJzoDNMAiTOvjT3ReHiz06EK2bw0
vIpHqxPCuL5t8v6/AaD4CGC+P59EaRWCwuksj7OV5FbjwSPr3rzc+lRWLQ3yaLwS
5KtzxOcaF4nsxDg1/K3CAX3rjyyvg9TtrKD6exoqWZ0UurfDs1k5aCoASmMjK7fD
ati+xqDYBi4BPxEm4qrvgnlv/ah8wZVEHAiYEAPWfQ7jVlrBW215OFjZAYEnyreJ
ZyexBvSR8JbdC+DniHjAQfiNHi92TFZlDiqC9ItC1mL+up5Lj7/NO6atwrtuO+mH
SpYV8Y01AyUo3njx5POjSw/+dPW9LUv8thl9Ldt+C0q4rmndqso4qVrM4NUbxBzx
HtKlR9Evd/7y97gaEtjYC0+zAbld4WL1BN0A3abeVUWQtfeqetrZxlQWN/tflV1Z
pFy6EalTMNpgP87VFoGcrV3AbLm2bQHnIKsnDjxU8BSe47YBay2fH5UYNGi8iUUO
QnJjCTLzQu8=
=oU/l
-----END PGP SIGNATURE-----