A security update for WordPress was made public to address more than a dozen issues of various severity. To fix many security issues found in WordPress versions prior to 6.0.3, WordPress released a security update. Every update since WordPress 3.7 has also been made by WordPress.
WordPress security advisories about numerous vulnerabilities were released by the US Government’s National Vulnerability Database. A Cross-Site Scripting vulnerability, sometimes known as an XSS vulnerability, is one of many types that harm WordPress.
An online programme like WordPress commonly develops a cross-site scripting vulnerability when it doesn’t thoroughly examine (sanitise) what is entered into a form or submitted through an upload input. When a user visits a website, an attacker can send them a malicious script, which the user can then execute, giving the attacker access to sensitive data or cookies including user credentials. A Stored XSS vulnerability was also found, which is regarded as being worse than a typical XSS assault. When a user or logged-in user visits a website that has been subject to a stored XSS attack, the malicious script that was saved on the website is then executed.
Cross-Site Request Forgery (CSRF) is a third category of vulnerability that has been identified.
The vulnerabilities identified are as follows:
- XSS stored through wp-mail.php (post by email)
- Redirect in “wp nonce ays” is open
- In wp-mail.php, the email address of the sender is displayed
- Reflected XSS on Media Library through SQLi
- wp-trackback.php contains Cross-Site Request Forgery (CSRF)
- through the Customizer, stored XSS
- Reverse the introduction of shared user instances in 50790
- XSS was saved in the WordPress core through comment editing
- the REST Terms/Tags Endpoint’s data exposure
- Emails with many parts had content leak
- SQL Injection brought on by ‘WP Date Query’s’ poor sanitization
- RSS Widget: Issue with stored XSS
- in the search block stored XSS
- Block of featured images: XSS problem
- RSS Block: Issue with stored XSS
- Fix the XSS widget blocker
WordPress advised all users to update their websites right away. Check the official anouncement of of WordPress
Check out the listings for these vulnerabilities in the National Vulnerability Database.
- Detail for CVE-2022-43504
- Detail for CVE-2022-43500
- Detail for CVE-2022-43497
