WordPress 6.0.3 was released this week. 16. Flaws have been fixed in the most recent security update.
addresses 9 stored and reflected cross site scripting (XSS), vulnerabilities.
has described each vulnerability. They are divided into four categories: the “highest severity” ones, and those with “medium” to low severity.
According to the business, “We found these vulnerabilities to not be seen as widespread exploits but many of them could present an opportunity for skilled attackers to hack high value sites using targeted attacks.”
Anyone who is able to send emails to a website can use one of the most serious vulnerabilities to inject malicious JavaScript code in posts. The code can be run once the malicious post has been accessed.
A mirrored XSS vulnerability that unauthenticated attackers can exploit to execute arbitrary codes by creating malicious search queries in the media library is another serious flaw. This vulnerability is believed to be most vulnerable in the current release because the attacker doesn’t need to have been authorized. It requires user interaction to exploit, so it is hard to create a payload.
A third serious problem involves SQL injections that third-party themes or plugins may be able take advantage of. The WordPress core is unaffected.
A CSRF flaw allows an attacker without authorization to send a trackback for an authorized user. However, effective exploitation of this vulnerability requires social engineering.
WordPress sites that automatically support background updates will be notified of the patch. The next significant update is Version 6.1. It will be available in November 1.
According to Sucuri’s website threat research report for 2021, WordPress sites accounted for almost one third of all CMS-related malware. WordPress was responsible for nearly 95% of CMS infection.