Path to this page:
Subject: CVS commit: pkgsrc/www/wordpress
From: Daniel Horecki
Date: 2017-09-21 21:24:46
Message id: 20170921192446.6FF56FA9A@cvs.NetBSD.org
Log Message:
Security update to version 4.8.2
Security issues:
- $wpdb->prepare() can create unexpected and unsafe queries leading to \
potential SQL injection (SQLi). WordPress core is not directly vulnerable to \
this issue, but we’ve added hardening to prevent plugins and themes from \
accidentally causing a vulnerability. Reported by Slavco.
- A cross-site scripting (XSS) vulnerability was discovered in the oEmbed \
discovery. Reported by xknown of the WordPress Security Team.
- A cross-site scripting (XSS) vulnerability was discovered in the visual \
editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.
- A path traversal vulnerability was discovered in the file unzipping code. \
Reported by Alex Chapman (noxrnet).
- A cross-site scripting (XSS) vulnerability was discovered in the plugin \
editor. Reported by 陈瑞琦 (Chen Ruiqi).
- An open redirect was discovered on the user and term edit screens. Reported by \
Yasin Soliman (ysx).
- A path traversal vulnerability was discovered in the customizer. Reported by \
Weston Ruter of the WordPress Security Team.
- A cross-site scripting (XSS) vulnerability was discovered in template names. \
Reported by Luka (sikic).
- A cross-site scripting (XSS) vulnerability was discovered in the link modal. \
Reported by Anas Roubi (qasuar).
And 6 other fixes:
* Emoji
- #41584 - Upgrade Twemoji to 2.5.0
- #41852 - Fix UN flag test by returning the correct value.
*I18N
- #41794 - Support numbers in locales during installation
* Security
- #13377 - Add more sanitization in _cleanup_header_comment
*Widgets
- #41596 - New Text Widget recognizes HTML but does not render it in the front end
- #41622 - Text widget can show DOMDocument::loadHTML() warnings in admin when \
is_legacy_widget method is called
More on https://codex.wordpress.org/Version_4.8.2
Files: