Codex.wordpress.org

Version 4.7.2

2017-02-01

added additional security disclosure

← Older revision

Revision as of 19:05, 1 February 2017

Line 11:

Line 11:

From the [https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ WordPress 4.7.2 release post]: WordPress versions 4.7.1 and earlier are affected by three security issues:

From the [https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/ WordPress 4.7.2 release post]: WordPress versions 4.7.1 and earlier are affected by three security issues:

−

# The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of [https://www.alleyinteractive.com/ Alley Interactive].

# The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of [https://www.alleyinteractive.com/ Alley Interactive].

# <code>WP_Query</code> is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by [https://github.com/mjangda Mo Jangda] (batmoo).

# <code>WP_Query</code> is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by [https://github.com/mjangda Mo Jangda] (batmoo).

# A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by [https://iandunn.name/ Ian Dunn] of the WordPress Security Team.

# A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by [https://iandunn.name/ Ian Dunn] of the WordPress Security Team.

+

+

From the [https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix-in-wordpress-4-7-2/ additional 4.7.2 security disclosure], WordPress versions 4.7.0 and 4.7.1 are affected by the following security issue:

+

# There was an ''Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint''. Previous versions of WordPress, even with the REST API Plugin, were never vulnerable to this. Reported by [https://twitter.com/MarcS0h Marc-Alexandre Montpas] of [https://sucuri.net/ Sucuri].

== List of Files Revised ==

== List of Files Revised ==