Min menu


Themes bar

WordPress Security Edition fixes 16 vulnerabilities


WordPress security version 6.0.3 has been deployed to urgently fix a total of 16 vulnerabilities.

WordPress has released a security update to fix sixteen vulnerabilities, and recommends updating sites immediately.

The security notice did not provide a description of how severe the vulnerabilities are, but given the types and large number of vulnerabilities that WordPress has admitted to, it might be a good idea to take this security release seriously.

WordPress Security Edition fixes 16 vulnerabilities

Vulnerabilities patched by WordPress

There are sixteen total fixes covered in this security release that correct various types of vulnerabilities.

Here is a list of the security vulnerabilities that have been fixed:

  1. 9 XSS versions, 6 of which are XSS stored
  2. 2 vulnerabilities related to email
  3. 1 double fraud request via the site
  4. 1 SQL injection
  5. 1 View data (REST endpoint)
  6. 1 open redirect
  7. 1 Roll back shared user copies (presumably the feature caused a vulnerability)

Six vulnerabilities stored in XSS

A stored XSS vulnerability is one in which the payload is uploaded and stored on the servers of the victim's site.

An XSS vulnerability generally occurs anywhere WordPress allows an insert or upload.

This type of vulnerability arises from a flaw in the code where the entry point does not adequately filter what can be loaded, resulting in the ability to load a malicious script or other unexpected file.

The Open Web Application Security Project (OWASP) nonprofit security site describes this type of vulnerability:

Stored attacks are those where the injected script is permanently stored on the target servers, such as the database, in the message forum, guestbook, comment field, etc.

The victim then retrieves the malicious text from the server when it requests the stored information."

Cross-Site Forgery (CSRF) relies on a bit of social engineering to trick a high-level website user with administrative privilege into performing an action such as following a link.

This type of vulnerability can cause the administrator to perform actions that could put the website at risk.

It can also affect regular website users by causing the user to change their login email or withdraw funds.

Open redirect in `wp_nonce_ays`

WordPress Security Edition fixes 16 vulnerabilities

An open redirect is a flaw in which a hacker can take advantage of the redirect.

In this case, the redirect related to the "Are you sure" notification is made to confirm the action.

The official WordPress description for this function is:

If the action contains a nonce annotation message, it will be displayed along with 'Are you sure? " message."

nonce is a security token generated by a WordPress site.

Official WordPress folders define unofficial icons:

  1. A nonce is a 'one-time use' number to help protect URLs and forms from certain types of misuse, malicious or otherwise.
  2. Non-text characters in WordPress are not numbers but a hash made up of numbers and letters.
  3. ... WordPress security tokens are called "nonces" ... because they serve much the same purpose as nonces tokens.
  4. It helps protect against several types of attacks including CSRF, but does not protect against replay attacks because it is not scanned for single use.
  5. Nonces should never be relied on for authentication, authorization, or access control.
  6. Protect your functions with current_user_can(), and always assume that nonces can be hacked. "

WordPress does not describe exactly what this vulnerability is.

But Google has published a description of what the open redirect vulnerability means:

  1. “This is a particularly cumbersome form of abuse because it takes advantage of the functionality of your site rather than exploiting a simple bug or vulnerability.
  2. Spammers hope to use your domain as a temporary "landing page" to trick email users, searchers, and search engines into following links that appear to point to your site, but actually redirect to their spam site."

Because of how this vulnerability affects sensitive functionality related to security and access, it could be somewhat dangerous.

SQL injection due to improper purging in 'WP_Date_Query'

This is a type of vulnerability where an attacker can enter data directly into the database.

A database is basically the heart of a WordPress site, where passwords, posts, etc. are stored.

An improper purge is an indication of a security check that is supposed to limit what can be entered.

SQL injection attacks are very dangerous because they can lead to website hacking.

SQL injection attacks allow attackers to impersonate, tamper with existing data, cause disavowal issues such as canceling transactions or changing balances, allowing full disclosure of all data on the system, corrupting or otherwise making data unavailable, and becoming responsible for a server Database.

... The severity of SQL injection attacks is limited by the skill and imagination of the attacker and, to a lesser extent, the defense in deep countermeasures, such as low privilege connections to the database server and so on. In general, keep in mind that SQL injection has a very serious effect.

WordPress Security Edition

WordPress Security Edition fixes 16 vulnerabilities

The WordPress alert mentioned that this security update affects all versions of WordPress 3.7.

Nowhere in the announcement was provided details of the severity of any of the vulnerabilities.

However, it is probably not an exaggeration to say that sixteen of the vulnerabilities, including six stored XSS and one SQL injection vulnerability are a matter of concern.

WordPress recommends updating websites immediately.