wordpress - Debian Package Tracker

general

source: wordpress (main)
version: 6.8.3+dfsg1-1
maintainer: Craig Small (DMD)
arch: all
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 5.7.11+dfsg1-0+deb11u1
o-o-sec: 5.7.14+dfsg1-0+deb11u1
oldstable: 6.1.6+dfsg1-0+deb12u1
old-sec: 6.1.9+dfsg1-0+deb12u1
old-p-u: 6.1.9+dfsg1-0+deb12u1
stable: 6.8.1+dfsg1-1
stable-sec: 6.8.3+dfsg1-0+deb13u1
stable-p-u: 6.8.3+dfsg1-0+deb13u1
testing: 6.8.3+dfsg1-1
unstable: 6.8.3+dfsg1-1

versioned links

5.7.11+dfsg1-0+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.7.14+dfsg1-0+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.1.6+dfsg1-0+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.1.9+dfsg1-0+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.8.1+dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.8.3+dfsg1-0+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.8.3+dfsg1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

wordpress (8 bugs: 0, 4, 4, 0)
wordpress-l10n
wordpress-theme-twentytwentyfive
wordpress-theme-twentytwentyfour
wordpress-theme-twentytwentythree

action needed

Marked for autoremoval on 29 January due to php-zstd: #1123428 high

Version 6.8.3+dfsg1-1 of wordpress is marked for autoremoval from testing on Thu 29 Jan 2026. It depends (transitively) on php-zstd, affected by #1123428. You should try to prevent the removal by fixing these RC bugs.

Created: 2025-12-23 Last update: 2026-01-02 11:31

A new upstream version is available: 6.9 high

A new upstream version 6.9 is available, you should consider packaging it.

Created: 2025-12-05 Last update: 2026-01-02 11:00

2 security issues in trixie high

There are 2 open security issues in trixie.

1 important issue:

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

1 issue left for the package maintainer to handle:

CVE-2022-3590: (postponed; to be fixed through a stable update) WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

You can find information about how to handle this issue in the security team's documentation.

Created: 2023-06-11 Last update: 2025-12-21 16:30

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
CVE-2022-3590: WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

Created: 2022-07-04 Last update: 2025-12-21 16:30

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
CVE-2022-3590: WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.

Created: 2025-08-09 Last update: 2025-12-21 16:30

5 security issues in bullseye high

There are 5 open security issues in bullseye.

1 important issue:

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

3 issues postponed or untriaged:

CVE-2012-6707: (postponed; to be fixed through a stable update) WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2022-3590: (needs triaging) WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2021-44223: (needs triaging) WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

1 ignored issue:

CVE-2023-5692: WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.

Created: 2022-07-04 Last update: 2025-12-21 16:30

5 security issues in bookworm high

There are 5 open security issues in bookworm.

1 important issue:

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.

2 issues left for the package maintainer to handle:

CVE-2022-3590: (postponed; to be fixed through a stable update) WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
TEMP-1036689-1CA7FB: (postponed; to be fixed through a stable update)

You can find information about how to handle these issues in the security team's documentation.

2 ignored issues:

CVE-2012-6707: WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2023-5692: WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.

Created: 2022-07-04 Last update: 2025-12-21 16:30

debian/patches: 1 patch with invalid metadata, 2 patches to forward upstream high

Among the 7 debian patches available in version 6.8.3+dfsg1-1 of the package, we noticed the following issues:

1 patch with invalid metadata that ought to be fixed.
2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-10-10 08:03

10 security issues in buster high

There are 10 open security issues in buster.

6 important issues:

CVE-2019-8943: WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
CVE-2023-5692: WordPress Core is vulnerable to Sensitive Information Exposure in versions up to, and including, 6.4.3 via the redirect_guess_404_permalink function. This can allow unauthenticated attackers to expose the slug of a custom post whose 'publicly_queryable' post status has been set to 'false'.
CVE-2024-4439: WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
CVE-2024-6307: WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-31111: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WordPress allows Stored XSS.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9.
CVE-2024-32111: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Automattic WordPress allows Relative Path Traversal.This issue affects WordPress: from 6.5 through 6.5.4, from 6.4 through 6.4.4, from 6.3 through 6.3.4, from 6.2 through 6.2.5, from 6.1 through 6.1.6, from 6.0 through 6.0.8, from 5.9 through 5.9.9, from 5.8 through 5.8.9, from 5.7 through 5.7.11, from 5.6 through 5.6.13, from 5.5 through 5.5.14, from 5.4 through 5.4.15, from 5.3 through 5.3.17, from 5.2 through 5.2.20, from 5.1 through 5.1.18, from 5.0 through 5.0.21, from 4.9 through 4.9.25, from 4.8 through 4.8.24, from 4.7 through 4.7.28, from 4.6 through 4.6.28, from 4.5 through 4.5.31, from 4.4 through 4.4.32, from 4.3 through 4.3.33, from 4.2 through 4.2.37, from 4.1 through 4.1.40.

4 issues postponed or untriaged:

CVE-2012-6707: (postponed; to be fixed through a stable update) WordPress through 4.8.2 uses a weak MD5-based password hashing algorithm, which makes it easier for attackers to determine cleartext values by leveraging access to the hash values. NOTE: the approach to changing this may not be fully compatible with certain use cases, such as migration of a WordPress site from a web host that uses a recent PHP version to a different web host that uses PHP 5.2. These use cases are plausible (but very unlikely) based on statistics showing widespread deployment of WordPress with obsolete PHP versions.
CVE-2022-3590: (postponed; to be fixed through a stable update) WordPress is affected by an unauthenticated blind SSRF in the pingback feature. Because of a TOCTOU race condition between the validation checks and the HTTP request, attackers can reach internal hosts that are explicitly forbidden.
CVE-2018-14028: (postponed; to be fixed through a stable update) In WordPress 4.9.7, plugins uploaded via the admin area are not verified as being ZIP files. This allows for PHP files to be uploaded. Once a PHP file is uploaded, the plugin extraction fails, but the PHP file remains in a predictable wp-content/uploads location, allowing for an attacker to then execute the file. This represents a security risk in limited scenarios where an attacker (who does have the required capabilities for plugin uploads) cannot simply place arbitrary PHP code into a valid plugin ZIP file and upload that plugin, because a machine's wp-content/plugins directory permissions were set up to block all new plugins.
CVE-2021-44223: (needs triaging) WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

Created: 2022-07-04 Last update: 2024-06-29 19:18

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2025-08-03 Last update: 2026-01-02 10:30

Depends on packages which need a new maintainer normal

The packages that wordpress depends on which need a new maintainer are:

dh-linktree (#980413)
- Build-Depends: dh-linktree

Created: 2021-01-18 Last update: 2026-01-02 10:02

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.6.2).

Created: 2024-04-07 Last update: 2025-12-23 20:00

news

[rss feed]

[2025-12-21] Accepted wordpress 6.8.3+dfsg1-0+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-12-21] Accepted wordpress 6.8.3+dfsg1-0+deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-12-20] Accepted wordpress 6.1.9+dfsg1-0+deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-12-09] Accepted wordpress 6.1.9+dfsg1-0+deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Utkarsh Gupta)
[2025-11-02] Accepted wordpress 5.7.14+dfsg1-0+deb11u1 (source) into oldoldstable-security (Utkarsh Gupta)
[2025-10-15] wordpress 6.8.3+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2025-10-09] Accepted wordpress 6.8.3+dfsg1-1 (source) into unstable (Craig Small)
[2025-05-16] wordpress 6.8.1+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2025-05-06] Accepted wordpress 6.8.1+dfsg1-1 (source) into unstable (Craig Small)
[2025-02-21] wordpress 6.7.2+dfsg1-1.1 MIGRATED to testing (Debian testing watch)
[2025-02-16] Accepted wordpress 6.7.2+dfsg1-1.1 (source) into unstable (Niels Thykier)
[2025-02-14] Accepted wordpress 6.7.2+dfsg1-1 (source all) into unstable (Debian FTP Masters) (signed by: Craig Small)
[2025-02-10] wordpress REMOVED from testing (Debian testing watch)
[2024-08-12] wordpress 6.6.1+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-08-06] Accepted wordpress 6.6.1+dfsg1-1 (source) into unstable (Craig Small)
[2024-07-05] wordpress 6.5.5+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-06-30] Accepted wordpress 6.5.5+dfsg1-1 (source) into unstable (Craig Small)
[2024-05-24] wordpress 6.5.3+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-05-19] Accepted wordpress 6.5.3+dfsg1-1 (source) into unstable (Craig Small)
[2024-05-12] Accepted wordpress 5.7.11+dfsg1-0+deb11u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2024-05-12] Accepted wordpress 6.1.6+dfsg1-0+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2024-05-08] Accepted wordpress 5.7.11+dfsg1-0+deb11u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2024-05-08] Accepted wordpress 6.1.6+dfsg1-0+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2024-04-21] wordpress 6.5.2+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-04-16] Accepted wordpress 6.5.2+dfsg1-1 (source) into unstable (Craig Small)
[2024-04-09] wordpress 6.5+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-04-04] Accepted wordpress 6.5+dfsg1-1 (source) into unstable (Craig Small)
[2024-03-10] Accepted wordpress 5.0.21+dfsg1-0+deb10u1 (source) into oldoldstable (Markus Koschany)
[2024-02-13] wordpress 6.4.3+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2024-02-08] Accepted wordpress 6.4.3+dfsg1-1 (source) into unstable (Craig Small)

bugs [bug history graph]

all: 14
RC: 0
I&N: 9
M&W: 4
F&P: 1
patch: 1

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 96)
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 6.7.2+dfsg1-1.1ubuntu1
8 bugs
patches for 6.7.2+dfsg1-1.1ubuntu1