CVE-2014-9031 — wordpress - security update

Description

Cross-site scripting (XSS) vulnerability in the wptexturize function in WordPress before 3.7.5, 3.8.x before 3.8.5, and 3.9.x before 3.9.3 allows remote attackers to inject arbitrary web script or HTML via crafted use of shortcode brackets in a text field, as demonstrated by a comment or a post.

How to fix CVE-2014-9031

To remediate CVE-2014-9031, upgrade the affected package to a fixed version below.

Debian/wordpress—upgrade to 4.0.1+dfsg-1 or later
Debian/wordpress—upgrade to 3.6.1+dfsg-1~deb6u6 or later
—upgrade to 3.6.1+dfsg-1~deb7u5 or later

Is CVE-2014-9031 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 4.0.1+dfsg-1
from 0, < 3.6.1+dfsg-1~deb6u6
from 0, < 3.6.1+dfsg-1~deb7u5

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-9031