WordPress has announced the release of a maintenance and security update aimed at addressing several vulnerabilities, including one that could potentially allow a full site takeover.
Maintenance and Security Update: WordPress 6.3.2
WordPress 6.3.2 includes 41 bug fixes and, more crucially, patches for eight identified security vulnerabilities.
The following eight vulnerabilities were recently discovered and patched:
- Arbitrary shortcode execution vulnerability in the WordPress core
- Potential user email address disclosure by unauthenticated hackers
- Remote code execution POP Chains vulnerability
- Cross-site scripting (XSS) vulnerability in the post link navigation block
- Leaked comment visibility on private posts
- Reflected XSS vulnerability in the application passwords screen
- XSS vulnerability in the footnotes block
- Cache poisoning Denial of Service (DoS) vulnerability
Some vulnerabilities stem from insufficient input sanitization, which occurs when submitted data isn’t properly filtered to remove malicious inputs.
The official WordPress developer page on input sanitization explains:
“Untrusted data comes from many sources (users, third party sites, even your own database!) and all of it needs to be checked before it’s used.
Sanitizing input is the process of securing/cleaning/filtering input data.
Validation is preferred over sanitization because validation is more specific.
But when ‘more specific’ isn’t possible, sanitization is the next best thing.”
All of the vulnerabilities are rated as medium severity, with patches applied for five medium severity issues.
An advisory about the current security release from Wordfence highlights that at least one vulnerability had the potential for a full site takeover.
WordPress recommends all users ensure their installations are updated to the latest version, WordPress 6.3.2.
According to the official WordPress announcement:
“Because this is a security release, it is recommended that you update your sites immediately.
Backports are also available for other major WordPress releases, 4.1 and later.”
WordPress 6.3.2 – Maintenance and Security release
Featured Image by Shutterstock/Light_Lenser
