Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Debian LTS: Security Advisory for wordpress (DLA-2429-1)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
The remote host is missing an update for the 'wordpress' package(s) announced via the DLA-2429-1 advisory.
Insight
Insight
There were several vulnerabilities reported against wordpress, as follows: CVE-2020-28032 WordPress before 4.7.19 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php. CVE-2020-28033 WordPress before 4.7.19 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed. CVE-2020-28034 WordPress before 4.7.19 allows XSS associated with global variables. CVE-2020-28035 WordPress before 4.7.19 allows attackers to gain privileges via XML-RPC. CVE-2020-28036 wp-includes/class-wp-xmlrpc-server.php in WordPress before 4.7.19 allows attackers to gain privileges by using XML-RPC to comment on a post. CVE-2020-28037 is_blog_installed in wp-includes/functions.php in WordPress before 4.7.19 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation). CVE-2020-28038 WordPress before 4.7.19 allows stored XSS via post slugs. CVE-2020-28039 is_protected_meta in wp-includes/meta.php in WordPress before 4.7.19 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected. CVE-2020-28040 WordPress before 4.7.19 allows CSRF attacks that change a theme's background image.
Affected Software
Affected Software
'wordpress' package(s) on Debian Linux.
Detection Method
Detection Method
Checks if a vulnerable package version is present on the target host.
Solution
Solution
For Debian 9 stretch, these problems have been fixed in version 4.7.19+dfsg-1+deb9u1. We recommend that you upgrade your wordpress packages.