WordPress released a security update to fix sixteen vulnerabilities, recommending that sites be updated immediately.
The security notice did not offer a description of the severity of the vulnerabilities however given the types of vulnerabilities WordPress acknowledged and the large number of them it may be a good idea to take this security release seriously.
Vulnerabilities Patched by WordPress
There are sixteen total fixes addressed in this security release that patches multiple kinds of vulnerabilities.
This is a list of the vulnerabilities fixed:
- 9 XSS issues, 6 of which are Stored XSS
- 2 Email related vulnerabilities
- 1 Cross Site Request Forgery Vulnerability
- 1 SQL Injection
- 1 Data exposure (REST Endpoint)
- 1 Open redirect
- 1 Revert shared user instances (feature presumably introduced a vulnerability)
Six Stored XSS Vulnerabilities
A stored XSS vulnerability is one in which the payload is uploaded and stored on the victim’s website servers.
An XSS vulnerability generally occurs anywhere that WordPress allows an input or an upload.
This kind of vulnerability arises through a flaw in the code where the input point doesn’t adequately filter what can be uploaded, resulting in the ability to upload a malicious script or some other unexpected file.
The non-profit security site Open Web Application Security Project (OWASP) describes this kind of vulnerability:
“Stored attacks are those where the injected script is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc.
The victim then retrieves the malicious script from the server when it requests the stored information.”
Cross-Site Request Forgery
A Cross-Site Request Forgery (CSRF) depends on a little bit of social engineering to trick a high level website user with administrative privilege to perform an action such as to follow a link.
This kind of vulnerability can lead to an admin performing actions that can compromise the website.
It can also affect regular website users by causing a user to change their login email or withdraw funds.
Open Redirect in `wp_nonce_ays`
An open redirect is a flaw in which a hacker can take advantage of a redirect.
In this case it’s redirect related to an “are you sure” notice to confirm an action.
The official WordPress description of this function is:
“If the action has the nonce explain message, then it will be displayed along with the “Are you sure?” message.”
A nonce is a security token generated by the WordPress site.
The official WordPress codex defines nonces:
“A nonce is a “number used once” to help protect URLs and forms from certain types of misuse, malicious or otherwise.
WordPress nonces aren’t numbers but are a hash made up of numbers and letters.
…WordPress’s security tokens are called “nonces” …because they serve much the same purpose as nonces do.
They help protect against several types of attacks including CSRF, but do not protect against replay attacks because they aren’t checked for one-time use.
Nonces should never be relied on for authentication, authorization, or access control.
Protect your functions using current_user_can(), and always assume nonces can be compromised.”
WordPress doesn’t describe exactly what this vulnerability is.
But Google has published a description of what an open redirect vulnerability is:
“This is a particularly onerous form of abuse because it takes advantage of your site’s functionality rather than exploiting a simple bug or security flaw.
Spammers hope to use your domain as a temporary “landing page” to trick email users, searchers and search engines into following links which appear to be pointing to your site, but actually redirect to their spammy site.”
Given how this vulnerability affects a sensitive security and access related function, it may be fairly serious.
SQL Injection due to improper sanitization in `WP_Date_Query`
This is a type of vulnerability where the attacker can input data straight into the database.
A database is basically the heart of a WordPress site, it’s where passwords, posts, etc. are stored.
Improper sanitization is a reference to a security check that’s supposed to limit what can be input.
SQL Injection attacks are considered very serious because they can lead to the website becoming compromised.
“SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
…The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity.”
WordPress Security Release
The WordPress alert said that this security update affects all versions from WordPress 3.7.
Nowhere in the announcement did it provide details on the severity of any of the vulnerabilities.
However it’s probably not a stretch to say that sixteen of vulnerabilities, including six stored XSS and one SQL Injection vulnerability is a matter of concern.
WordPress recommends updating websites immediately.
Official Description of Vulnerabilities Patched By WordPress 6.0.3
Read the Official Release Announcement
Featured image by Shutterstock/Pixel-Shot