May 2018

WordPress 4.9.6 Privacy and Maintenance Release

WordPress 4.9.6 is now available. This is a privacy and maintenance release. We encourage you to update your sites to take advantage of the new privacy features.

Privacy

The European Union’s General Data Protection Regulation (GDPR) takes effect on May 25. The GDPR requires companies and site owners to be transparent about how they collect, use, and share personal data. It also gives individuals more access and choice when it comes to how their own personal data is collected, used, and shared.

Scrollable Content - Critical - Unsupported - SA-CONTRIB-2018-026

Project: Scrollable Content
Date: 2018-May-09
Security risk: *Critical* 16∕25
Vulnerability: Unsupported

Description

Scrollable Content provides a scrolling functionality for your content.
Scrollable Content will give you a nice content slider preview of your site's
nodes, and provides some display options.

Simple Taxonomy Revision - Critical - Unsupported - SA-CONTRIB-2018-025

Project: Simple Taxonomy Revision [1]
Date: 2018-May-09
Security risk: *Critical* 16∕25
Vulnerability: Unsupported

Description

Simple Taxonomy Revision module enables revisions for taxonomy terms for
Drupal 8.

The security team is marking this module unsupported. There is a known
security issue with the module that has not been fixed by the maintainer. If
you would like to maintain this module, please read:
https://www.drupal.org/node/251466.

KCFinder integration - Critical - Unsupported Module - SA-CONTRIB-2018-024

Project: KCFinder integration
Date: 2018-May-09
Security risk: *Critical* 16∕25
Vulnerability: Unsupported Module

Description

KCFinder is a multi-language file / image manager you can use to easily
select, insert, upload and arrange images, flash movies, and other kinds of
files.

SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027

Project: SVG Formatter
Date: 2018-May-09
Security risk: *Critical* 15∕25
Vulnerability: Cross Site Scripting

Description

This module adds a new formatter for the file fields, which allows any file
extension to be uploaded.
The module doesn't sufficiently handle sanitization under the scenario
uploaded SVG files.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission create or edit on certain content types that allows SVG
files to be uploaded.