Changelog
wordpress (3.6.1+dfsg-1~deb6u1) squeeze-security; urgency=high
* Non-maintainer upload by the Security Team.
* Import Wordpress 3.6.1 from Jessie to fix all the security issues present
in Squeeze: closes: #722537
- CVE-2013-4338: unsafe PHP unserialization can causes arbitrary code
execution.
- CVE-2013-4339: unproper input validation in URL parsing can lead to
arbitrary redirection.
- CVE-2013-4340: privilege escalation allowing an user with an author role
to create an entry appearing as written by another user.
- CVE-2013-5738: authenticated users can conduct cross-site scripting
attacks (XSS) using crafted html file uploads.
- CVE-2013-5739: default Wordpress configuration doesn't prevent upload
for .swf and .exe files, making it easier for authenticated users to
conduct XSS attacks.
-- Yves-Alexis Perez <email address hidden> Sat, 14 Sep 2013 10:30:29 +0200