Changelog
wordpress (4.1+dfsg-1+deb8u13) jessie-security; urgency=medium
* Backport patches from 4.7.3 Closes: #857026
- CVE-2017-6814
Cross-site scripting (XSS) via media file metadata.
Changeset 40155
- CVE-2017-6815
Control characters can trick redirect URL validation.
Changeset 40190
- CVE-2017-6816
Unintended files can be deleted by administrators using the plugin
deletion functionality.
Changeset 40176
- CVE-2017-6817
Cross-site scripting (XSS) via video URL in YouTube embeds.
Chamgeset 40167
* Not vulnerable:
- CVE-2017-6819
Cross-site request forgery (CSRF) in Press This leading to excessive
use of server resources.
Press This introduced in 4.2
- CVE-2017-6818
Cross-site scripting (XSS) via taxonomy term names.
-- Craig Small <email address hidden> Thu, 16 Mar 2017 06:19:41 +1100