Debian LTS: Security Advisory for wordpress (DLA-2429-1)

The remote host is missing an update for the 'wordpress' package(s) announced via the DLA-2429-1 advisory.

There were several vulnerabilities reported against wordpress, as follows: CVE-2020-28032 WordPress before 4.7.19 mishandles deserialization requests in wp-includes/Requests/Utility/FilteredIterator.php. CVE-2020-28033 WordPress before 4.7.19 mishandles embeds from disabled sites on a multisite network, as demonstrated by allowing a spam embed. CVE-2020-28034 WordPress before 4.7.19 allows XSS associated with global variables. CVE-2020-28035 WordPress before 4.7.19 allows attackers to gain privileges via XML-RPC. CVE-2020-28036 wp-includes/class-wp-xmlrpc-server.php in WordPress before 4.7.19 allows attackers to gain privileges by using XML-RPC to comment on a post. CVE-2020-28037 is_blog_installed in wp-includes/functions.php in WordPress before 4.7.19 improperly determines whether WordPress is already installed, which might allow an attacker to perform a new installation, leading to remote code execution (as well as a denial of service for the old installation). CVE-2020-28038 WordPress before 4.7.19 allows stored XSS via post slugs. CVE-2020-28039 is_protected_meta in wp-includes/meta.php in WordPress before 4.7.19 allows arbitrary file deletion because it does not properly determine whether a meta key is considered protected. CVE-2020-28040 WordPress before 4.7.19 allows CSRF attacks that change a theme's background image.

'wordpress' package(s) on Debian Linux.

Checks if a vulnerable package version is present on the target host.

For Debian 9 stretch, these problems have been fixed in version 4.7.19+dfsg-1+deb9u1. We recommend that you upgrade your wordpress packages.