Summary: added security details
← Older revision
Revision as of 19:40, 6 March 2017
Line 6:
Line 6:
== Summary ==
== Summary ==
−
+
−
TBD
+
versions 4.7.2 and earlier are affected by six security issues:
−
+
+
# Cross-site scripting (XSS) via media file metadata. Reported by [https://www.securesolutions.no/ Chris Andrè Dale], [https://twitter.com/yorickkoster Yorick Koster], and Simon P. Briggs.
+
# Control characters can trick redirect URL validation. Reported by [http://www.danielchatfield.com/ Daniel Chatfield].
+
# Unintended files can be deleted by administrators using the plugin deletion functionality. Reported by [http://b.360.cn/ xuliang].
+
# Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by [https://twitter.com/marcs0h Marc Montpas].
+
# Cross-site scripting (XSS) via taxonomy term names. Reported by [https://profiles.wordpress.org/deltamgm2 Delta].
+
# Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Reported by Sipke Mellema.
+
== List of Files Revised ==
== List of Files Revised ==