Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

WordPress 5.4.2 Patches Multiple XSS Vulnerabilities

This entry was posted in Vulnerabilities, WordPress Security on June 11, 2020 by Ram Gall   2 Replies

WordPress Core version 5.4.2 has just been released. Since this release is marked as a combined security and bug fix update, we recommend updating as soon as possible. With that said, most of the security fixes themselves are for vulnerabilities that would require specific circumstances to exploit. All in all this release contains 6 security fixes, 3 of which are for XSS (Cross-Site Scripting) vulnerabilities. Both the free and Premium versions of Wordence have robust built-in XSS protection which will protect against potential exploitation of these vulnerabilities.

A Breakdown of each security issue

An XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor

This flaw would have made it possible for an attacker to inject JavaScript into a post by manipulating the attributes of Embedded iFrames. This would be exploitable by users with the edit_posts capability, meaning users with the Contributor role or higher in most configurations.

The changeset in question is:
https://core.trac.wordpress.org/changeset/47947/

This issue was discovered and reported by Sam Thomas (jazzy2fives)

An XSS issue where authenticated users with upload permissions are able to add JavaScript to media files

This flaw would have made it possible for an attacker to inject JavaScript into the “Description” field of an uploaded media file. This would be exploitable by users with the upload_files capability, meaning users with the Author role or higher in most configurations.

The changeset in question is:
https://core.trac.wordpress.org/changeset/47948/

This issue was discovered and reported by Luigi – (gubello.me)

An open redirect issue in wp_validate_redirect()

For this flaw, the wp_validate_redirect function failed to sufficiently sanitize URLs supplied to it. As such it would have been possible under certain circumstances for an attacker to craft a link to an impacted site that would redirect visitors to a malicious external site. This would not require specific capabilities, but it would typically require either social engineering or a separate vulnerability in a plugin or theme to exploit.

The changeset in question is:
https://core.trac.wordpress.org/changeset/47949/

This issue was discovered and reported by Ben Bidner of the WordPress Security Team.

An authenticated XSS issue via theme uploads

This flaw would have made it possible for an attacker to inject JavaScript into the stylesheet name of a broken theme, which would then be executed if another user visited the Appearance->Themes page on the site. This would be exploitable by users with the install_themes or edit_themes capabilities, which are only available to administrators in most configurations.

The changeset in question is:
https://core.trac.wordpress.org/changeset/47950/

This issue was discovered and reported by Nrimo Ing Pandum

An issue where set-screen-option can be misused by plugins leading to privilege escalation

For this flaw, a plugin incorrectly using the set-screen-option filter to save arbitrary or sensitive options could potentially be used by an attacker to gain administrative access. We are not currently aware of any plugins that are vulnerable to this issue.

The changeset in question is:
https://core.trac.wordpress.org/changeset/47951/

This issue was discovered and reported by Simon Scannell of RIPS Technologies

An issue where comments from password-protected posts and pages could be displayed under certain conditions

For this flaw, comment excerpts on password-protected posts could have been visible on sites displaying the “Recent Comments” widget or using a plugin or theme with similar functionality.

The changeset in question is:
https://core.trac.wordpress.org/changeset/47984/

This issue was discovered and reported by Carolina Nymark

Note: This is unrelated to an issue where unmoderated spam comments were briefly visible and indexable by search engines.

What should I do?

Most of these vulnerabilities appear to be exploitable only under limited circumstances or by trusted users, but we recommend updating as soon as possible. Attackers may find ways to exploit them more easily, or the researchers who discovered these vulnerabilities may publish Proof of Concept code that allows simpler exploitation. This is a minor WordPress release, so most sites will automatically update to the new version.

Conclusion

We’d like to thank the WordPress core team and the researchers who discovered and responsibly reported these vulnerabilities for making WordPress safer for everyone.

You can find the official announcement of the WP 5.4.2 release on this page. If you have any questions or comments, please don’t hesitate to post them below and we’ll do our best to answer them in a timely manner. If you are one of the researchers whose work is included above and would like to provide additional detail or corrections, we welcome your comments.

Special thanks to QA Lead Matt Rusnak for helping to identify the changesets associated with these fixes.

Did you enjoy this post? Share it!

2 Comments on "WordPress 5.4.2 Patches Multiple XSS Vulnerabilities"

Patricia L. Fiorilli June 11, 2020 at 2:40 pm

Getting these notices about any vulnerabilities from an updated site is frustrating for me.
How am I supposed to be sure the site is safe without understanding all the tech jargon? I would hardly know what to do? As i said, frustrating.
Thanks,
Patty

Kathy Zant June 15, 2020 at 9:33 am

Hi Patricia! It can be a bit overwhelming. Keep your themes, plugins, and core updated, remove any plugins you're no longer using (don't just deactivate, actually delete them), make sure you only have one site in your cpanel/FTP account, and use Wordfence. You'll be good to go. And if you're a Wordfence Premium customer, our team is here to support you and answer any questions you have at https://support.wordfence.com.

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates