wordpress - Debian Package Tracker

general

source: wordpress (main)
version: 6.7.2+dfsg1-1.1
maintainer: Craig Small (DMD)
arch: all
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 5.0.15+dfsg1-0+deb10u1
o-o-sec: 5.0.21+dfsg1-0+deb10u1
oldstable: 5.7.11+dfsg1-0+deb11u1
old-sec: 5.7.11+dfsg1-0+deb11u1
stable: 6.1.6+dfsg1-0+deb12u1
stable-sec: 6.1.6+dfsg1-0+deb12u1
unstable: 6.7.2+dfsg1-1.1

versioned links

5.0.15+dfsg1-0+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.0.21+dfsg1-0+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.7.11+dfsg1-0+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.1.6+dfsg1-0+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.6.1+dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.7.2+dfsg1-1.1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

wordpress (6 bugs: 0, 2, 4, 0)
wordpress-l10n
wordpress-theme-twentytwentyfive
wordpress-theme-twentytwentyfour
wordpress-theme-twentytwentythree

action needed

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2012-6707: WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
CVE-2022-3590: WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2018-14028: In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.

Created: 2022-07-04 Last update: 2025-02-19 11:55

6 security issues in bullseye high

There are 6 open security issues in bullseye.

1 important issue:

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

4 issues postponed or untriaged:

CVE-2012-6707: (postponed; to be fixed through a stable update) WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2022-3590: (needs triaging) WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2018-14028: (postponed; to be fixed through a stable update) In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
CVE-2021-44223: (needs triaging) WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

1 ignored issue:

CVE-2023-5692: WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.

Created: 2022-07-04 Last update: 2025-02-19 11:55

9 security issues in bookworm high

There are 9 open security issues in bookworm.

5 important issues:

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
CVE-2023-5692: WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.
CVE-2024-4439: WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
CVE-2024-6307: WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-31111: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.

4 issues left for the package maintainer to handle:

CVE-2012-6707: (postponed; to be fixed through a stable update) WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2022-3590: (postponed; to be fixed through a stable update) WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2018-14028: (postponed; to be fixed through a stable update) In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
TEMP-1036689-1CA7FB: (postponed; to be fixed through a stable update)

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2025-02-19 11:55

The VCS repository is not up to date, push the missing commits. high

vcswatch reports that the current version of the package is not in its VCS.
Either you need to push your commits and/or your tags, or the information about the package's VCS are out of date. A common cause of the latter issue when using the Git VCS is not specifying the correct branch when the packaging is not in the default one (remote HEAD branch), which is usually "master" but can be modified in salsa.debian.org in the project's general settings with the "Default Branch" field). Alternatively the Vcs-Git field in debian/control can contain a "-b <branch-name>" suffix to indicate what branch is used for the Debian packaging.

Created: 2024-11-08 Last update: 2025-02-17 12:02

debian/patches: 1 patch with invalid metadata, 2 patches to forward upstream high

Among the 7 debian patches available in version 6.7.2+dfsg1-1.1 of the package, we noticed the following issues:

1 patch with invalid metadata that ought to be fixed.
2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-02-16 18:30

4 security issues in trixie high

There are 4 open security issues in trixie.

4 important issues:

CVE-2012-6707: WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
CVE-2022-3590: WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2018-14028: In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.

Created: 2023-06-11 Last update: 2024-11-12 13:30

10 security issues in buster high

There are 10 open security issues in buster.

6 important issues:

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
CVE-2023-5692: WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.
CVE-2024-4439: WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
CVE-2024-6307: WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-31111: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.
CVE-2024-32111: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25, from 4.8 through 4.8.24, from 4.7 through 4.7.28, from 4.6 through 4.6.28, from 4.5 through 4.5.31, from 4.4 through 4.4.32, from 4.3 through 4.3.33, from 4.2 through 4.2.37, from 4.1 through 4.1.40.

4 issues postponed or untriaged:

CVE-2012-6707: (postponed; to be fixed through a stable update) WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2022-3590: (postponed; to be fixed through a stable update) WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2018-14028: (postponed; to be fixed through a stable update) In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
CVE-2021-44223: (needs triaging) WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

Created: 2022-07-04 Last update: 2024-06-29 19:18

Depends on packages which need a new maintainer normal

The packages that wordpress depends on which need a new maintainer are:

dh-linktree (#980413)
- Build-Depends: dh-linktree

Created: 2021-01-18 Last update: 2025-02-20 16:02

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.0 instead of 4.6.2).

Created: 2024-04-07 Last update: 2025-02-16 17:00

testing migrations

excuses:
- Migration status for wordpress (- to 6.7.2+dfsg1-1.1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Too young, only 4 of 5 days old
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/w/wordpress.html
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- ∙ ∙ Waiting for reproducibility test results on armhf - info ♻
- ∙ ∙ Reproducible on i386 - info ♻
- Not considered

news

[rss feed]

[2025-02-16] Accepted wordpress 6.7.2+dfsg1-1.1 (source) into unstable (Niels Thykier)
[2025-02-14] Accepted wordpress 6.7.2+dfsg1-1 (source all) into unstable (Debian FTP Masters) (signed by: Craig Small)
[2025-02-10] wordpress REMOVED from testing (Debian testing watch)
[2024-08-12] wordpress 6.6.1+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-08-06] Accepted wordpress 6.6.1+dfsg1-1 (source) into unstable (Craig Small)
[2024-07-05] wordpress 6.5.5+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-06-30] Accepted wordpress 6.5.5+dfsg1-1 (source) into unstable (Craig Small)
[2024-05-24] wordpress 6.5.3+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-05-19] Accepted wordpress 6.5.3+dfsg1-1 (source) into unstable (Craig Small)
[2024-05-12] Accepted wordpress 5.7.11+dfsg1-0+deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2024-05-12] Accepted wordpress 6.1.6+dfsg1-0+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2024-05-08] Accepted wordpress 5.7.11+dfsg1-0+deb11u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2024-05-08] Accepted wordpress 6.1.6+dfsg1-0+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2024-04-21] wordpress 6.5.2+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-04-16] Accepted wordpress 6.5.2+dfsg1-1 (source) into unstable (Craig Small)
[2024-04-09] wordpress 6.5+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-04-04] Accepted wordpress 6.5+dfsg1-1 (source) into unstable (Craig Small)
[2024-03-10] Accepted wordpress 5.0.21+dfsg1-0+deb10u1 (source) into oldoldstable (Markus Koschany)
[2024-02-13] wordpress 6.4.3+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-02-08] Accepted wordpress 6.4.3+dfsg1-1 (source) into unstable (Craig Small)
[2024-01-07] wordpress 6.4.2+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-01-01] Accepted wordpress 6.4.2+dfsg1-1 (source) into unstable (Craig Small)
[2023-12-31] Accepted wordpress 6.4.1+dfsg1-1.1 (source) into unstable (Paul Gevers)
[2023-11-20] Accepted wordpress 5.0.20+dfsg1-0+deb10u1 (source) into oldoldstable (Markus Koschany)
[2023-11-14] Accepted wordpress 6.4.1+dfsg1-1 (source all) into unstable (Debian FTP Masters) (signed by: Craig Small)
[2023-11-03] wordpress 6.3.2+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2023-10-29] Accepted wordpress 6.3.2+dfsg1-1 (source) into unstable (Craig Small)
[2023-09-17] wordpress 6.3.1+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2023-09-12] Accepted wordpress 6.3.1+dfsg1-1 (source) into unstable (Craig Small)
[2023-08-15] wordpress 6.3+dfsg1-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 12
RC: 0
I&N: 7
M&W: 4
F&P: 1
patch: 0

links

homepage
lintian
buildd: logs
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 96)
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 6.4.3+dfsg1-1ubuntu1
8 bugs
patches for 6.4.3+dfsg1-1ubuntu1