WordPress published a security release to address multiple vulnerabilities discovered in versions of WordPress prior to 6.0.3. WordPress also updated all versions since WordPress 3.7.
The U.S. Government National Vulnerability Database published warnings of multiple vulnerabilities affecting WordPress.
There are multiple kinds of vulnerabilities affecting WordPress, including a type known as a Cross Site Scripting, often referred to as XSS.
A cross site scripting vulnerability typically arises when a web application like WordPress doesn’t properly check (sanitize) what is input into a form or uploaded through an upload input.
An attacker can send a malicious script to a user who visits the site which then executes the malicious script, thereupon providing sensitive information or cookies containing user credentials to the attacker.
Another vulnerability discovered is called a Stored XSS, which is generally considered to be worse than a regular XSS attack.
With a stored XSS attack, the malicious script is stored on the website itself and is executed when a user or logged-in user visits the website.
A third kind vulnerability discovered is called a Cross-Site Request Forgery (CSRF).
The non-profit Open Web Application Security Project (OWASP) security website describes this kind of vulnerability:
“Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing.
If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth.
If the victim is an administrative account, CSRF can compromise the entire web application.”
These are the vulnerabilities discovered:
WordPress recommended that all users update their websites immediately.
The official WordPress announcement stated:
“This release features several security fixes. Because this is a security release, it is recommended that you update your sites immediately.
All versions since WordPress 3.7 have also been updated.”
WordPress 6.0.3 Security Release
Google’s Search Advocate John Mueller recently addressed the SEO community’s concerns about site recovery after…
Here is a recap of what happened in the search forums today, through the eyes…
Google’s SearchLiaison confirmed that Google’s site reputation abuse update started on Monday May 6th. Many…
This post was sponsored by Fiverr Pro. The opinions expressed in this article are the…
A report based on independently verified accounts notes that Apple’s Safari 18 will come with…
Looking to increase the impact of your blogging strategy? Wondering what separates the top blogs…
This website uses cookies.
Leave a Comment