WordPress Releases Urgent Security Update to Patch XSS and Path Traversal Flaws

23

WordPress has released an urgent security update, version 6.5.5, addressing critical vulnerabilities that could potentially compromise the security of millions of websites.

This minor release, which also includes three bug fixes in the core, is highly recommended for immediate installation to ensure site security and stability.

Key Security Fixes

The WordPress 6.5.5 update addresses three significant security vulnerabilities:

Cross-Site Scripting (XSS) Vulnerability in HTML API: Dennis Snell of the WordPress Core Team, along with Alex Concha and Grzegorz (Greg) Ziółkowski of the WordPress security team, reported this vulnerability, which could allow attackers to inject malicious scripts into web pages viewed by other users.

Cross-Site Scripting (XSS) Vulnerability in Template Part Block: Independently reported by Rafie Muhammad of Patchstack and identified during a third-party security audit, this flaw could enable attackers to execute arbitrary scripts in the context of the user’s session.

Path Traversal Issue on Windows-Hosted Sites: This vulnerability, reported by Rafie M & Edouard L of Patchstack, David Fifield, x89, apple502j, and mishre, could allow attackers to access restricted directories and files on the server, potentially leading to data breaches or further exploitation.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

Update Instructions

To update to WordPress 6.5.5, users can:

Download from WordPress.org: Visit the official WordPress website to download the latest version.

Update via WordPress Dashboard: Navigate to the Dashboard, click on “Updates,” and then click “Update Now.”

Automatic Background Updates: For sites that support automatic updates, the process will begin automatically.

Importance of Immediate Update

Given the nature of the vulnerabilities, all WordPress site administrators must update their installations immediately. Delaying updates can expose sites to potential attacks, leading to data loss, unauthorized access, and other security breaches.

WordPress 6.5.5 is a short-cycle release, with the next major release, version 6.6, scheduled for July 16, 2024. This upcoming release is expected to bring significant improvements and new features, further enhancing the platform’s functionality and user experience.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Comments are closed.