WordPress Hit With Multiple Vulnerabilities In Versions Prior To 6.0.3

WordPress published a security release to address multiple vulnerabilities discovered in versions of WordPress prior to 6.0.3. WordPress also updated all versions since WordPress 3.7.

Cross Site Scripting (XSS) Vulnerability

The U.S. Government National Vulnerability Database published warnings of multiple vulnerabilities affecting WordPress.

There are multiple kinds of vulnerabilities affecting WordPress, including a type known as a Cross Site Scripting, often referred to as XSS.

A cross site scripting vulnerability typically arises when a web application like WordPress doesn’t properly check (sanitize) what is input into a form or uploaded through an upload input.

An attacker can send a malicious script to a user who visits the site which then executes the malicious script, thereupon providing sensitive information or cookies containing user credentials to the attacker.

Another vulnerability discovered is called a Stored XSS, which is generally considered to be worse than a regular XSS attack.

With a stored XSS attack, the malicious script is stored on the website itself and is executed when a user or logged-in user visits the website.

A third kind vulnerability discovered is called a Cross-Site Request Forgery (CSRF).

The non-profit Open Web Application Security Project (OWASP) security website describes this kind of vulnerability:

“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.

If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth.

If the victim is an administrative account, CSRF can compromise the entire web application.”

These are the vulnerabilities discovered:

1. Stored XSS via wp-mail.php (post by email)
2. Open redirect in `wp_nonce_ays`
3. Sender’s email address is exposed in wp-mail.php
4. Media Library – Reflected XSS via SQLi
5. Cross-Site Request Forgery (CSRF) in wp-trackback.php
6. Stored XSS via the Customizer
7. Revert shared user instances introduced in 50790
8. Stored XSS in WordPress Core via Comment Editing
9. Data exposure via the REST Terms/Tags Endpoint
10. Content from multipart emails leaked
11. SQL Injection due to improper sanitization in `WP_Date_Query`
12. RSS Widget: Stored XSS issue
13. Stored XSS in the search block
14. Feature Image Block: XSS issue
15. RSS Block: Stored XSS issue
16. Fix widget block XSS

Recommended Action

WordPress recommended that all users update their websites immediately.

The official WordPress announcement stated:

“This release features several security fixes. Because this is a security release, it is recommended that you update your sites immediately.

All versions since WordPress 3.7 have also been updated.”

Read the official WordPress announcement here:

WordPress 6.0.3 Security Release

Read the National Vulnerability Database entries for these vulnerabilities:

CVE-2022-43504

CVE-2022-43500

CVE-2022-43497