WordPress Releases Security Vulnerability Update 6.02

WordPress has released an update containing bug fixes and security fixes to address three vulnerabilities rated as severe to medium.

Updates may have been downloaded and installed automatically, so it is essential to check if the website has been updated to version 6.02 and if everything is still working normally.

Bug fixes

The update contains twelve fixes for the WordPress core and five for the block editor.

One notable change is an improvement to the template directory, which is intended to help theme authors only serve templates related to their themes.

The goal of this change is to make it more attractive for theme authors to use and present a better user experience for editors.

“Many theme authors want all core and remote patterns disabled by default using remove_theme_support (‘core-block-patterns’). This ensures that they only serve patterns relevant to their theme to clients. /clients.

This change will make the Pattern Directory more attractive/usable from the theme author’s point of view.

Three security fixes

The first vulnerability is described as a high severity SQL injection vulnerability.

A SQL injection vulnerability allows an attacker to query the database that underpins the website and add, view, delete, or modify sensitive data.

According to a report by Wordfence, WordPress 6.02 fixes a high vulnerability SQL injection vulnerability, but the vulnerability requires administrative privileges to execute.

Wordfence described this vulnerability:

“The WordPress Link feature, formerly known as “Bookmarks”, is no longer enabled by default on new WordPress installations.

Older sites may still have the feature enabled, which means millions of legacy sites are potentially vulnerable, even if they are running newer versions of WordPress.

Fortunately, we found that the vulnerability requires administrative privileges and is difficult to exploit in a default configuration.

The second and third vulnerabilities are described as Stocked Cross-Site Scripting, one of which would not affect the “vast” majority of WordPress publishers.

JavaScript Moment date library update

Another vulnerability has been fixed, but it was not part of WordPress core. The vulnerability affects a JavaScript data library called Moment used by WordPress.

The JavaScript Library vulnerability has been assigned a CVE number and details are available in the US Government’s National Vulnerability Database. It is documented as a bug fix on WordPress.

What to do

The update should automatically roll out to sites starting with version 3.7.

It may be useful to check if the site is working properly and that there are no conflicts with the current theme and installed plugins.


Quotes

WordPress Core 6.0.2 Security and Maintenance Release – What You Need to Know

Allow saving remote templates in theme.json when master templates are disabled.

Featured image by Shutterstock/Krakenimages.com

Comments are closed.