Home SEO News WordPress Discovers XSS Vulnerability – Recommends Update to 6.5.2

WordPress Discovers XSS Vulnerability – Recommends Update to 6.5.2

Apr 10, 2024 0 Comments
WordPress Releases version 6.5.2 to fix an XSS Vulnerability

WordPress announced the 6.5.2 maintenance and security update that fixes a cross-store scripting vulnerability and fixes more than a dozen bugs in the core and blog editor.

The same vulnerability affects both WordPress core and the Gutenberg plugin.

Cross Site Scripting (XSS)

An XSS vulnerability was discovered in WordPress that could allow an attacker to inject scripts into a website that then attack site visitors to those pages.

There are three types of XSS vulnerabilities, but the ones most commonly discovered in WordPress plugins, themes, and WordPress itself are reflected XSS and stored XSS.

Reflected XSS requires the victim to click on a link, an extra step that makes this type of attack more difficult to launch.

A stored XSS is the most worrisome variant because it exploits a flaw that allows an attacker to upload a script to the vulnerable site that can then launch attacks against site visitors. The vulnerability discovered in WordPress is a stored XSS.

The threat itself is somewhat mitigated because this is an authenticated stored XSS, meaning the attacker must acquire at least contributor-level permissions in order to exploit the website flaw that makes vulnerability possible.

This vulnerability is classified as a medium threat, receiving a Common Vulnerability Scoring System (CVSS) score of 6.4 on a scale of 1 to 10.

Wordfence describes the vulnerability:

“WordPress Core is vulnerable to cross-site scripts stored using user display names in the Avatar blog in various versions up to 6.5.2 due to insufficient output in the display name. This makes it possible for authenticated attackers, with access at the contributor level and higher, inject arbitrary web scripts into pages that will be executed whenever a user accesses an injected page.”

WordPress.org recommends an immediate upgrade

The official WordPress announcement recommended that users update their installations, writing:

“As this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress versions, 6.1 and later.”

Read Wordfence notices:

WordPress Core < 6.5.2: Authenticated stored cross-site scripts (Contributor+) using Avatar Block

Gutenberg 12.9.0 – 18.0.0 – Authenticated cross-site script (Contributor+) using avatar block

Read the official announcement from WordPress.org:

WordPress Maintenance and Security Version 6.5.2

Featured image by Shutterstock/ivan_kislitsin

[ad_2]

Source link

You May Also Like

Las Vegas SEO Co Announces Premier SEO Consultancy Services

Las Vegas SEO Co announces first SEO consulting services

Small seo tools plagiarism checker

Get the highest rank with a small online SEO tool

Local Marketing

The importance of local marketing for home service businesses

MAKE AN IMPACT WITH ADVANCED GENERATIVE ENGINE OPTIMIZATION

Google's advice on fixing broken links for SEO

Google’s unconventional tips for fixing broken backlinks

All the SEO Secrets: The CEO's Advice on Becoming an SEO Expert Transforms Businesses 10,000 Readers

All the SEO Secrets: The CEO’s Advice on Becoming an SEO Expert Transforms Businesses 10,000 Readers

About the Author: Ted Simmons

I follow and report the current news trends on Google news.

Leave a Reply

Your email address will not be published. Required fields are marked *