WordPress 5.9.2 Security Update Fixes XSS and Prototype Pollution Vulnerabilities

Last night, just after 6pm Pacific time, on Thursday  March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well as two medium-severity issues.

The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts. The Wordfence Threat Intelligence team was able to create a Proof of Concept for this vulnerability fairly quickly and released a firewall rule early on March 11, 2022, to protect WordPress sites that have not yet been updated.

The two medium-severity vulnerabilities impact WordPress versions earlier than 5.9.2 and potentially allow attackers to execute arbitrary JavaScript in a user’s session if they can trick that user into clicking a link, though there are no known practical exploits for these two vulnerabilities affecting WordPress. All versions of WordPress since WordPress 3.7 have also been updated with the fix for these vulnerabilities.

Vulnerability Analysis

As with all WordPress core releases containing security fixes, the Wordfence Threat Intelligence team has analyzed the update in detail to ensure our customers remain secure.

We have released two new firewall rules to protect against the vulnerabilities patched in WordPress 5.9.2. These rules have been deployed to Wordfence Premium, Wordfence Care, and Wordfence Response users. Wordfence free users will receive these rules after 30 days on April 10, 2022.

Even if you are protected by the Wordfence firewall, we encourage you to update WordPress core on all your sites at your earliest convenience, if they have not already been automatically updated.

Contributor+ Stored Cross Site Scripting Vulnerability


Description: Contributor+ Stored XSS
Affected Versions: WordPress Core 5.9.0-5.9.1
CVE ID: Pending
CVSS Score: 8.0 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Fully Patched Version:
5.9.2
Researcher/s: Ben Bidner

WordPress uses a function called wp_kses to remove malicious scripts from posts, which is called in wp_filter_post_kses whenever post content is saved.

Recent versions of WordPress allow some degree of full site editing, including global styles, which use their own sanitization function wp_filter_global_styles_post.

Unfortunately, however, the wp_filter_global_styles_post function ran after wp_filter_post_kses. Normally this would not be an issue, but wp_filter_global_styles_post performs a second round of JSON decoding on the content it has been passed, which allows for a number of bypasses that would normally be handled by wp_kses.

The patched version runs wp_filter_global_styles_post before wp_filter_post_kses so that any potential bypasses have already been processed and wp_kses can effectively sanitize them.

This vulnerability does require the attacker to have the ability to edit posts, and as such they would need access to the account of at least a Contributor-level user. An attacker able to successfully exploit this vulnerability could inject malicious JavaScript into a post, which, when previewed by an administrator, would execute. JavaScript running in an administrator’s session can be used to take over a site via several methods including the addition of new malicious administrative users and the injection of backdoors into a website.

Prototype Pollution Vulnerabilities


Description: Prototype Pollution via the Gutenberg wordpress/url package
Affected Versions: WordPress Core < 5.9.2
CVE ID: Pending
CVSS Score: 5.0 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Fully Patched Version: 5.9.2
Researcher/s: Uncredited

Description: Prototype Pollution in jQuery
Affected Versions: WordPress Core < 5.9.2
CVE ID: CVE-2021-20083
CVSS Score: 5.0 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Fully Patched Version: 5.9.2
Researcher/s: Uncredited

Prototype pollution vulnerabilities allow attackers to inject key/value “properties” into JavaScript objects and are in many ways similar to PHP Object Injection vulnerabilities. In cases where the webserver is running JavaScript such as with Node.js, this can be used to achieve critical-severity exploits such as Remote Code Execution. WordPress, however, is a PHP application and does not run on Node.js so the impact of these vulnerabilities are limited.

One of these vulnerabilities was present in the Gutenberg wordpress/url package, while a separate but very similar vulnerability was present in jQuery, which was patched separately and updated to jQuery 2.2.3.

We are not aware of any practical exploits at this time, but any such exploits targeting WordPress would require user interaction, such as an attacker tricking a victim into clicking a link, similar to reflected Cross-Site Scripting(XSS).

An attacker successfully able to execute JavaScript in a victim’s browser could potentially take over a site, but the complexity of a practical attack is high and would likely require a separate vulnerable component to be installed. Nonetheless, the Wordfence Threat Intelligence team has released a firewall rule designed to block exploit attempts against these vulnerabilities.

Conclusion

In today’s article, we covered the 3 vulnerabilities patched in the WordPress 5.9.2 security release. Most actively used WordPress sites should have already been patched via automatic updates. The Wordfence firewall also provides protection against these vulnerabilities.

Despite this, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 3.7, an update is available to patch these vulnerabilities while keeping you on the same major version, so you should not have to worry about compatibility issues.

Help secure the WordPress community by sharing this information with WordPress site owners in your circle.

This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.

Did you enjoy this post? Share it!

Comments

4 Comments
  • Before this update 3 of my websites have been affected and getting redirected to malicious links. I saw these malicious files in the Wordfence Scan report.

    What is the next step to resolve this issue? Any help would be highly appreciated.

    • Hi,

      It sounds like you might need your site cleaned. We offer instructions on how to do this yourself at https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/. If you'd like us to clean your sites for you we also have a full-service solution that includes ongoing hands-on support https://www.wordfence.com/products/wordfence-care/

  • So is 5.8.3 fine as is, or is there someplace we download a stand alone patch to apply to it?

    • Hi Bob,

      The Stored XSS issue did not impact 5.8.3, but the fix for the prototype pollution issue was backported and is available in version 5.8.4, and we recommend updating to that minor version.