WordPress published a security release to address multiple vulnerabilities discovered in versions of WordPress prior to 6.0.3. WordPress also updated all versions since WordPress 3.7.
Cross Site Scripting (XSS) Vulnerability
The U.S. Government National Vulnerability Database published warnings of multiple vulnerabilities affecting WordPress.
There are multiple kinds of vulnerabilities affecting WordPress, including a type known as a Cross Site Scripting, often referred to as XSS.
A cross site scripting vulnerability typically arises when a web application like WordPress doesn’t properly check (sanitize) what is input into a form or uploaded through an upload input.
An attacker can send a malicious script to a user who visits the site which then executes the malicious script, thereupon providing sensitive information or cookies containing user credentials to the attacker.
Another vulnerability discovered is called a Stored XSS, which is generally considered to be worse than a regular XSS attack.
With a stored XSS attack, the malicious script is stored on the website itself and is executed when a user or logged-in user visits the website.
A third kind vulnerability discovered is called a Cross-Site Request Forgery (CSRF).
The non-profit Open Web Application Security Project (OWASP) security website describes this kind of vulnerability:
“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.
If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth.
If the victim is an administrative account, CSRF can compromise the entire web application.”
These are the vulnerabilities discovered:
- Stored XSS via wp-mail.php (post by email)
- Open redirect in `wp_nonce_ays`
- Sender’s email address is exposed in wp-mail.php
- Media Library – Reflected XSS via SQLi
- Cross-Site Request Forgery (CSRF) in wp-trackback.php
- Stored XSS via the Customizer
- Revert shared user instances introduced in 50790
- Stored XSS in WordPress Core via Comment Editing
- Data exposure via the REST Terms/Tags Endpoint
- Content from multipart emails leaked
- SQL Injection due to improper sanitization in `WP_Date_Query`
- RSS Widget: Stored XSS issue
- Stored XSS in the search block
- Feature Image Block: XSS issue
- RSS Block: Stored XSS issue
- Fix widget block XSS
Recommended Action
WordPress recommended that all users update their websites immediately.
The official WordPress announcement stated:
“This release features several security fixes. Because this is a security release, it is recommended that you update your sites immediately.
All versions since WordPress 3.7 have also been updated.”
Read the official WordPress announcement here:
WordPress 6.0.3 Security Release