Multiple vulnerabilities in WordPress versions prior to 4.4.2 could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) and open redirection attacks on a targeted system.
The vulnerabilities are due to improper processing of user-supplied input by the affected application. An unauthenticated, remote attacker could exploit these vulnerabilities by persuading a user to visit a crafted URL that is designed to submit malicious input to the affected application. A successful exploit could allow the attacker to conduct an SSRF attack, which could be leveraged to perform unauthorized actions on a targeted system. A successful exploit could also allow the attacker to perform an open redirection attack in which the attacker redirects a user to a malicious website.
WordPress released a security and maintenance release document at the following link: WordPress 4.4.2
. WordPress also released software updates at the following link: WordPress 4.4.2
FreeBSD has released a VuXML document at the following link: wordpress -- multiple vulnerabilities. FreeBSD has released ports collection updates at the following link: Ports Collection Index
Administrators are advised to apply the appropriate updates.
Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.
Administrators are advised to monitor critical systems.