WordPress announced an update that fixes seventeen bug fixes and seven vulnerabilities. WordPress is automatically updating sites to WordPress 5.4.1.
It is important to check that your WordPress installation is updated to version WordPress 5.4.1.
Cross-site Scripting Vulnerabilities
WordPress patched it’s software to address multiple Cross-site scripting (XSS) vulnerabilities. There are two kinds, XSS and Authenticated XSS.
A cross-site scripting (XSS) vulnerability allows an attacker to inject a malicious script on a vulnerable web page.
An authenticated cross-site scripting (Authenticated XSS) is the same vulnerability only this one happens when a user is logged in. The user can be anyone ranging from a site member all the way up to the administrator level.
XSS vulnerabilities can be used to attack site visitors as well as to alter a WordPress web page. These kinds of vulnerabilities can be used as the first wave of attack that can unlock and clear the way for more serious attacks.
For that reason it’s important to stay on top of XSS vulnerabilities and keep your WordPress installation patched to the very latest version.
The software update was not not limited to fixing XSS vulnerabilities. There were other kinds of vulnerabilities as well.
Not All Sites Automatically Updated
WordPress announced that WordPress installations from WordPress 3.7 and up have been automatically updated. That means WordPress installations lower than 3.7 were not automatically updated.
The official WordPress announcement implies that versions less than 3.7 remain vulnerable, since this vulnerability affects all WordPress versions under 5.4.
It is prudent to update any older WordPress installations to the very latest in order to avoid any previous WordPress vulnerabilities.
According to the official WordPress announcement:
“This security and maintenance release features 17 bug fixes in addition to 7 security fixes. Because this is a security release, it is recommended that you update your sites immediately.”
Read the official WordPress announcement here: