Description: Adjust post meta checks
 Fixes CVE-2017-962
 Improper handling of post meta data values in the XML-RPC API.
Author: swisspidy@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/40699
Applied-Upstream: 4.7.5
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2017-05-19
--- a/wp-includes/class-wp-xmlrpc-server.php
+++ b/wp-includes/class-wp-xmlrpc-server.php
@@ -331,6 +331,11 @@
 			if ( isset($meta['id']) ) {
 				$meta['id'] = (int) $meta['id'];
 				$pmeta = get_metadata_by_mid( 'post', $meta['id'] );
+
+				if ( ! $pmeta || $pmeta->post_id != $post_id ) {
+					continue;
+				}
+
 				if ( isset($meta['key']) ) {
 					$meta['key'] = wp_unslash( $meta['key'] );
 					if ( $meta['key'] !== $pmeta->meta_key )
