Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2014-5240

Cross-site scripting (XSS) vulnerability in wp-includes/pluggable.php in WordPress before 3.9.2, when Multisite is enabled, allows remote authenticated administrators to inject arbitrary web script or HTML, and obtain Super Admin privileges, via a crafted avatar URL.

Related bugs and status

CVE-2014-5240 (Candidate) is related to these bugs:

Bug #1395336: security fixes since 3.8.2

Summary				In	Importance	Status
	1395336	security fixes since 3.8.2		wordpress (Ubuntu)	Undecided	Invalid
	1395336	security fixes since 3.8.2		wordpress (Ubuntu Trusty)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2014081...
CONFIRM: https://core.trac.word...
CONFIRM: https://wordpress.org/...
DEBIAN: DSA-3001