This week, WordPress 6.0.3 began to be distributed. The most recent security update fixes 16 flaws.
In addition to addressing open redirect, data exposure, cross-site request forgery (CSRF), and SQL injection vulnerabilities, WordPress 6.0.3 now addresses nine stored and reflected cross-site scripting (XSS) vulnerabilities.
Each vulnerability has been described by WordPress security firm Defiant. Four of them are classified as having “high severity,” while the others have “medium” or “low” severity.
The business cautioned: “We have found that these vulnerabilities are unlikely to be perceived as mass exploits, but several of them potentially present a mechanism for knowledgeable attackers to hack high-value sites via tailored attacks.”
A person who can send posts to a website via email can take advantage of one of the high-severity vulnerabilities, a stored XSS flaw, to insert malicious JavaScript code into posts. When the malicious post is accessed, the code is run.
Another serious weakness is a mirrored XSS that an unauthenticated attacker can use to execute arbitrary code by crafting a malicious search query in the media library. Because the attacker does not need to be authorised, Defiant believes this could be the most exploitable vulnerability in this release. Exploitation needs user interaction, and constructing a payload is difficult.
The third high-severity problem is a SQL injection that a third-party plugin or theme may be able to take advantage of; the WordPress core remains unaffected.
The final serious problem is a CSRF flaw that enables an unauthenticated attacker to send a trackback on behalf of an authorised user, but effective exploitation requires social engineering.
WordPress websites that support background updates automatically will receive a patch. Version 6.1, the following significant update, is scheduled for November 1.
WordPress websites accounted for over 95% of CMS infections, and almost one-third of the websites on which the cybersecurity company discovered a credit card skimmer were running WordPress, according to Sucuri’s Website Threat Research Report for 2021.