Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2017.0017 WordPress 4.7.3 Security and Maintenance Release 7 March 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WordPress Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Delete Arbitrary Files -- Existing Account Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade Member content until: Thursday, April 6 2017 OVERVIEW Multiple vulnerabilities have been identified in WordPress prior to version 4.7.3. [1] IMPACT The vendor has provided the following details regarding the vulnerability: "Cross-site scripting (XSS) via media file metadata. Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs. Control characters can trick redirect URL validation. Reported by Daniel Chatfield. Unintended files can be deleted by administrators using the plugin deletion functionality. Reported by xuliang. Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by Marc Montpas. Cross-site scripting (XSS) via taxonomy term names. Reported by Delta. Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Reported by Sipke Mellema." [1] MITIGATION The vendor strongly encourages users to update to the latest version. [1] REFERENCES [1] WordPress 4.7.3 Security and Maintenance Release https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWL3zTox+lLeg9Ub1AQgaJA/+LJbBcRoj/8pzCe+o629dX+vSovSngJY5 d5fV86zyFbwssnmYzC6hI8QAptBAb3rgyyowgqCKrYTGNtM8CwBLbCm3A/BRsACL 9sFVQk83X1KAz7qCrPnNBTyOQeC27567LziOwnyC6S+9omafCjsZEkxjIfT0TzsD zDsYDls1n7wfF27tjM3ud1kaGGQ+uwS5A1PLpGGEbXX1YsfuNdDiGsEx0YwuDgqp vXfcbjk3xs8AIU3OlJLCcPEpe0i6Ep3BmE2/ET2QJiYRq1Xxz5RtQ2uzHMOcMw9Z f70d57Y6z9fV/e7WFlwPNfnmF6iwPJxqeMRPcOA1VrsdBCJjWqYWih6r8eGH1rig mINcSbny01tFlYr6sOvCNnbPYKO3WX1jx0PWwHMf3DNEx+qRlL8YJ4SpOeT9aXhY Atu+hXYfVHIlAa0EuZB8WdE1LL65izhYSDu8wSR5BLKLBV/6ONhOC4aPndO17uRZ aGdXoBfIYwE+v+3BJIbXxMgsYFQw4owbAla2zL8nD/+mSV3983DLaxVDEYMvL7Hj eDQ45KdEQpJXtrcd/o6PUlzqU3eBhbr0nmbLEuweJE8A0zK5zGWLwtPKRnWrQ8tV 7COE1TsG/NRGTqF92a3seapNBEqSyXmZoCEQwE8JmB6ZA3ElVTglAfF9Py6hXGa2 1JzbK+uNmCU= =YRKK -----END PGP SIGNATURE-----