wordpress -- multiple vulnerabilities

ID 14EA4458-E5CD-11E6-B56D-38D547003487
Type freebsd
Reporter FreeBSD
Modified 2017-01-26T00:00:00


Aaron D. Campbell reports:

WordPress versions 4.7.1 and earlier are affected by three security issues:

The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. A cross-site scripting (XSS) vulnerability was discovered in the posts list table. An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint.