Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0074 A number of vulnerabilities have been identified in WordPress 24 July 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WordPress Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Unauthorised Access -- Existing Account Resolution: Patch/Upgrade Member content until: Sunday, August 23 2015 OVERVIEW A number of vulnerabilities have been identified in WordPress prior to version 4.2.3. [1] IMPACT The vendor has provided the following details regarding these issues: "This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.2.2 and earlier are affected by a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site. This was initially reported by Jon Cave and fixed by Robert Chapin, both of the WordPress security team, and later reported by Jouko Pynnönen. We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies." [1] MITIGATION The vendor recommends updating to the latest version of WordPress to correct these issues. [1] REFERENCES [1] WordPress 4.2.3 Security and Maintenance Release https://wordpress.org/news/2015/07/wordpress-4-2-3/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVbGEAX6ZAP0PgtI9AQJsxxAAlSslArRU9vwRgCnQFF6Wz+pigyoR8tP5 W7sj85jU1l5dBSjj3iJH3lo6KN8Q9mq2HIXU8QpNrBVxD88LJvmU4Ofiz0GzrRDA qCO3sIZNC6Cj9a6wA8TICcw1EwGs8V4B0VS9u23th3E6ZmLhQXC+VpBA2lc8L8gH 1SMZOe6yFLVkuJ5JS6M/yrnGdHPBCFOo6d1peJzoDNMAiTOvjT3ReHiz06EK2bw0 vIpHqxPCuL5t8v6/AaD4CGC+P59EaRWCwuksj7OV5FbjwSPr3rzc+lRWLQ3yaLwS 5KtzxOcaF4nsxDg1/K3CAX3rjyyvg9TtrKD6exoqWZ0UurfDs1k5aCoASmMjK7fD ati+xqDYBi4BPxEm4qrvgnlv/ah8wZVEHAiYEAPWfQ7jVlrBW215OFjZAYEnyreJ ZyexBvSR8JbdC+DniHjAQfiNHi92TFZlDiqC9ItC1mL+up5Lj7/NO6atwrtuO+mH SpYV8Y01AyUo3njx5POjSw/+dPW9LUv8thl9Ldt+C0q4rmndqso4qVrM4NUbxBzx HtKlR9Evd/7y97gaEtjYC0+zAbld4WL1BN0A3abeVUWQtfeqetrZxlQWN/tflV1Z pFy6EalTMNpgP87VFoGcrV3AbLm2bQHnIKsnDjxU8BSe47YBay2fH5UYNGi8iUUO QnJjCTLzQu8= =oU/l -----END PGP SIGNATURE-----