Changelog
wordpress (4.7.5+dfsg-2+deb9u1) stretch-security; urgency=medium
* Backport patches from 4.8.2 Closes: #876274
- CVE-2017-14723
$wpdb->prepare() can create unexpected and unsafe queries leading to
potential SQL injection (SQLi)
Changeset 41472, 41498
- CVE-2017-14724
Cross-site scripting (XSS) vulnerability in the oEmbed discovery
Changeset 41451
- CVE-2017-14726
Cross-site scripting (XSS) vulnerability in the visual editor
Changeset 41436
- CVE-2017-14719
Path traversal vulnerability in the file unzipping code
Changeset 41459
- CVE-2017-14721
Cross-site scripting (XSS) vulnerability in the plugin editor
Changeset 41413
- CVE-2017-14725
Open redirect in the user and term edit screens
Changeset 41418
- CVE-2017-14722
Path traversal vulnerability in the customizer
Changeset 41430
- CVE-2017-14720
Cross-site scripting (XSS) vulnerability in template names
Changeset 41413 (same as plugin editor)
- CVE-2017-14718
Cross-site scripting (XSS) vulnerability in the link modal
* Hash user activation key Closes: #877629
Fixes CVE-2017-14990
-- Craig Small <email address hidden> Sat, 07 Oct 2017 07:11:32 +1100