WordPress 6.0.3 includes fixes for 16 vulnerabilities

A new version of WordPress core has been released with many fixes. In CMS, a total of 16 vulnerabilities were fixed, including 9 XSS. Other issues relate to having open redirects, potential data leaks, cross-site request substitution, and SQL injection. The post only contains a list of closed security vulnerabilities, with a brief description of each vulnerability provided by Defiant’s Wordfence team on their blog. Four punctures are classified as high risk and the rest as medium or low risk. Wordfence conducted an analysis and concluded that the likelihood of any new bug being used to hack a website at scale is negligible. However, some of them are able to attract the attention of hackers who prefer targeted attacks. What is promising is that the researchers examined the possibility of cross-site scripting, which allows malicious JavaScript code (reflected by XSS via SQL injection) to be inserted into unauthenticated pages. The attack is carried out by making a special request to search the library of media files uploaded to the site. Experts say that creating the payload takes some effort. Also, you’ll have to resort to social engineering, but an experienced hacker can do that. Another critical vulnerability has been classified as layered XSS. The vulnerability requires permission to create posts on the target WordPress site via email and allows you to execute a JavaScript that is executed when you access malicious posts. The culprit is /wp-mail file.php , which handles requests to add email records – turns out the script didn’t care to check the source access level, so it didn’t no cleaning In case the user does not have permission to transfer the state of the unfiltered data. The third critical vulnerability belongs to the SQLi category; It is not related to any flaw in the CMS core, in which case the exploit is carried out through an intermediary – a third-party plugin or theme. It turns out that when running the query with the WP_Date_Query class, the data was not cleaned enough. The fourth critical vulnerability is CSRF, which is the ability to forge requests between sites. The exploit requires no authentication and allows you to run the WordPress referral engine (web document association notice) on behalf of another user. Analysis revealed an error in implementing this feature: the distinction between users connecting to wp-trackback.php was not clear enough: they were identified by a cookie sent with the request. Therefore, attackers can use social engineering to force victims to perform necessary actions and impersonate themselves. WordPress 6.0.3 is automatically distributed to users who choose this upgrade method; Others can download it from the WordPress.org website or through the admin panel. The new major CMS release (6.1) is scheduled for November 1st.