-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2016.0007.2
             WordPress 4.4.2 Security and Maintenance Release
                              9 February 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              WordPress
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Provide Misleading Information -- Remote with User Interaction
                      Unauthorised Access            -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-2221 CVE-2016-2222 
Member content until: Friday, March  4 2016

Revision History:     February 9 2016: Added CVE numbers
                      February 3 2016: Initial Release

OVERVIEW

        Two security issues have been identified in WordPress prior to version
        4.4.2. [1]


IMPACT

        The vendor has provided the following information about the 
        vulnerabilities:
        
        CVE-2016-2221, CVE-2016-2222: "WordPress versions 4.4.1 and earlier
        are affected by two security issues: a possible SSRF for certain 
        local URIs, reported by Ronni Skansing; and an open redirection 
        attack, reported by Shailesh Suthar." [1]


MITIGATION

        The vendor recommends updating to the latest version. [1]


REFERENCES

        [1] WordPress 4.4.2 Security and Maintenance Release
            https://wordpress.org/news/2016/02/wordpress-4-4-2-security-and-maintenance-release/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVrlrSH6ZAP0PgtI9AQL/UQ//WGsKat00lGYa6WwbR0KYa1Ns/XhM9c2F
Fexz+aD5U9Ue1SZaF+9XcOtINTzq32FTToaSJNK8f4VSkaL7aQH178+6Gv5hxElV
zq+sgt7hpJNnrlE4zckzugX1XlRRe14u6j9gG/NMWNoYN1vZm5zwDJU7v47FAotf
f4c7b8X3THn6ZrHt/u7BS+uCxkVkOJ5tz75W/X52qiWezvkiafBIyoZyhUn4LvId
eaYH04akKXfUgjpqNK5ZweRCAoYlAH8PmXZQkE6Ugq9CxOqrko5eWvrVpUbvuzj5
Q/lgnqzRMKrfUEnmBkaWlFczVjhUhGMKIcq3I9QbzCxCNeV+eKNVB2dbM1a08tKB
Kx4Py8PY/QPJ89ZpNWTR15OaLy0V41nZp/NpKx+1nK/aD7dY4SUilhYceqSfl2te
A85HruyHPp02hsObvE2IWViB0ypisH7e+Gn+EuA9IgI3DxRcdrX2JwUZpN7H6u3B
omOAMtEFf17Iaail4k1ER3ebgGouYf4KonaVUu6gsYyopo/v9bhOIJJWvjGoElDB
ZO4KDSKkm1aZ6fvgFDuO1jaEMFFChMYyDX5sL5xH15IIh5qk4A9hQYm0mWTRuT8c
gYBtNaDtyDmSfo4hiHPwdnUZ2v5pd6MjTAN/GAT4Qa3DpGFZcTiIsUWDrRrx6t70
zl3wt6LFgx0=
=UuDh
-----END PGP SIGNATURE-----