WordPress published security release version 6.9.2 to patch multiple vulnerabilities, but the update caused some sites to crash (display a white screen), so WordPress quickly followed up with an additional update that contains a bugfix for the issue introduced by version 6.9.2.
WordPress security firm Wordfence published details of four of the vulnerabilities, which were rated as medium severity, while WordPress.org published the full list of ten, including one that’s due to an external PHP library.
Timeline Of WordPress Sites Crashing
Some WordPress users reported that the security update caused their sites to crash. Some on Reddit speculated that there was something wrong with the WordPress security patch, inferring that it was related to vibe coding. A discussion in the official WordPress forums describing issues with site functionality also started soon after the security patch was released.
The first post described their issue:
“A few minutes ago I got an update from Dreamhost that my website had automatically updated to WP 6.9.2. Now any page I try to load is coming up blank. I can still log into the back end, the pages are still there for editing, content is present, but when I go to the home page or any other page, nothing is displaying (view source is also empty.)
WordPress 6.9.2 with Crio theme, up to date.”
Others followed, describing similar problems, and a few posts later, one of the core developers responded to say that the issue is directly related to something in certain themes and suggested verifying that by switching to another theme. Seven hours after the initial post, the person who started the thread posted again to note that WordPress had issued a bugfix, version 6.9.3, to address the issues introduced by version 6.9.2, which were due to how certain themes were coded and not the security release itself.
Official Response From WordPress
The problem with sites crashing appears to relate to a non-standard way that certain themes load template files. Those themes were using an unsupported way of loading templates, which then led to a conflict with the patch. WordPress engineers quickly issued an additional patch to address those issues, even though the problem was on the theme side, not WordPress.
According to WordPress’s notes for the bugfix in version 6.9.3:
“This release features a bugfix for some themes that use an unusual “stringable object” mechanism when loading template file paths that broke in the 6.9.2 security release.
Although this is is not an officially supported approach to loading template files in WordPress (the template_include filter only accepts a string), it nevertheless caused some sites to break so the team have decided to address this in a fast follow 6.9.3 release. Users using affected themes should update to 6.9.3 to restore the front end of their site to an operational state.”
Wordfence Advisory
Wordfence published details of four of the vulnerabilities, with CVSS severity ratings of 4.3 to 6.4 on a scale of 1 to 10, with 10 being the highest severity level. All of them require authentication to exploit, meaning that an attacker would need to first obtain user permissions ranging from subscriber level to Administrator in order to launch an attack.
List of four vulnerabilities described by Wordfence:
- CVSS Severity Rating 4.3
WordPress 6.9 – 6.9.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Note Creation via REST API - CVSS Severity Rating 4.3
WordPress <= 6.9.1 – Missing Authorization to Authenticated (Author+) Sensitive Information Disclosure via query-attachments AJAX Endpoint - CVSS Severity Rating 4.4
WordPress <= 6.9.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via Navigation Menu Items - CVSS Severity Rating 6.5
WordPress <= 6.9.1 – Authenticated (Author+) XML External Entity Injection via getID3 Library Media Upload
The Wordfence advisory for the most serious vulnerability, rated 6.5/10 described the flaw:
“WordPress core is vulnerable to XML External Entity (XXE) Injection via the bundled getID3 library in all versions up to and including 6.9.1. This is due to the `GETID3_LIBXML_OPTIONS` constant including the `LIBXML_NOENT` flag, which enables XML entity substitution during parsing.
When WordPress processes media files containing XML metadata (specifically iXML chunks in WAV/RIFF/AVI files), the getID3 library parses the XML with entity substitution enabled, allowing local file disclosure via `file://` protocol URIs. This may make it possible for authenticated attackers with Author-level access to read arbitrary files from the server.”
These are the full list of ten vulnerabilities:
- A Blind SSRF issue
- A PoP-chain weakness in the HTML API and Block Registry
- A regex DoS weakness in numeric character references
- A stored XSS in nav menus
- An AJAX query-attachments authorization bypass
- A stored XSS via the data-wp-bind directive
- An XSS that allows overridding client-side templates in the admin area
- A PclZip path traversal issue
- An authorization bypass on the Notes feature
- An XXE in the external getID3 library
Recommendations
It’s not known how severe the other six vulnerabilities are, although the ones that Wordfence described were rated only at a medium level of severity and required an attacker to first attain a user role. Nevertheless, WordPress recommends that site publishers update their sites immediately.
Featured Image by Shutterstock/Who is Danny
