CVE-2015-5730

Description

The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated.

How to fix CVE-2015-5730

To remediate CVE-2015-5730, upgrade the affected package to a fixed version below.

• Debian/wordpress—upgrade to 4.2.4+dfsg-1 or later

Is CVE-2015-5730 being exploited?

Moderate — EPSS is 9.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 4.2.4+dfsg-1

References (1)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2015-5730