WordPress announced it was publishing a maintenance and security release that patches multiple vulnerabilities including one that could lead to a full site takeover.
Maintenance and Security Release WordPress 6.3.2
WordPress 6.3.2 delivers 41 bug fixes but more importantly it ships with patches for eight vulnerabilities.
The following eight vulnerabilities were recently discovered and patched:
- A vulnerability in the WordPress core that allows arbitrary shortcode execution
- Potential disclosure of user email addresses by unauthenticated hackers using
- Remote code execution POP Chains vulnerability
- Cross-site scripting (XSS) vulnerability in the post link navigation block
- Leaked comment visibility on private posts
- Reflected cross-site scripting (XSS) vulnerability in the application passwords screen
- Cross-site scripting (XSS) vulnerability in the footnotes block
- Cache poisoning Denial of Service (DoS) vulnerability
Some of the vulnerabilities are due to insufficient input sanitization, which means that data that is submitted isn’t filtering out malicious inputs.
The official WordPress developer page for input sanitization informs:
“Untrusted data comes from many sources (users, third party sites, even your own database!) and all of it needs to be checked before it’s used.
Sanitizing input is the process of securing/cleaning/filtering input data.
Validation is preferred over sanitization because validation is more specific.
But when ‘more specific’ isn’t possible, sanitization is the next best thing.”
All of the vulnerabilities are rated as medium severity, including patches for five medium severity issues.
An advisory about the current security release posted by Wordfence notes that at least one of the vulnerabilities contained the potential for a full site takeover.
WordPress advises all users to verify that their WordPress installations are updated to the very latest version, WordPress version 6.3.2.
According to the official WordPress announcement:
“Because this is a security release, it is recommended that you update your sites immediately.
Backports are also available for other major WordPress releases, 4.1 and later.”
Read the official WordPress security release announcement:
Featured Image by Shutterstock/Light_Lenser