wordpress-6.0.3-1.fc36

Read Time:1 Minute, 9 Second

FEDORA-2022-4e099582c7

Packages in this update:

wordpress-6.0.3-1.fc36

Update description:

WordPress 6.0.3 Security Release

Security updates included in this release

Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
Open redirect in wp_nonce_ays – devrayn
Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
CSRF in wp-trackback.php – Simon Scannell
Stored XSS via the Customizer – Alex Concha from the WordPress security team
Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
Data exposure via the REST Terms/Tags Endpoint – Than Taintor
Content from multipart emails leaked – Thomas Kräftner
SQL Injection due to improper sanitization in WP_Date_Query – Michael Mazzolini
RSS Widget: Stored XSS issue – Third-party security audit
Stored XSS in the search block – Alex Concha of the WP Security team
Feature Image Block: XSS issue – Third-party security audit
RSS Block: Stored XSS issue – Third-party security audit
Fix widget block XSS – Third-party security audit

Read More

DSA-5256 bcel – security update

Read Time:15 Second

The Apache Xalan Java XSLT library is vulnerable to an integer truncation
issue when processing malicious XSLT stylesheets. This can be used to corrupt
Java class files generated by the internal XSLTC compiler and execute arbitrary
Java bytecode. In Debian the vulnerable code is in the bcel source package.

Read More