WordPress Releases 6.02 Security Vulnerability Update
WordPress announces a security and maintenance update to fix three security holes.
WordPress has released an update containing security patches and bug fixes to address three vulnerabilities, rated as medium to severe.
The update may be downloaded or then installed automatically. Therefore it is essential to verify if the website has been upgraded to version 6.02 and if everything works as it should.
Bug Corrections
The update includes twelve fixes to the WordPress core and five fixes to fix the editor block.
One significant modification is the enhancement of the Pattern Directory intended to allow theme authors to serve only the patterns relevant to their theme.
This modification will improve its appeal and make it attractive for theme writers to encourage them to use it and provide an enhanced user experience to publishers.
“Many theme authors want all core and remote patterns disabled by default using remove_theme_support( ‘core-block-patterns’ ). This will ensure that they serve only those patterns that fit their theme to clients or customers.
This update will make this Pattern Directory more appealing/usable from the point of view of the theme’s author.”
3 Security Patches
The vulnerability is described as a high-severity SQL Injection vulnerability.
The SQL injection vulnerability permits an attacker to access the database that powers the website and then edit view, or alters sensitive information.
In a study published by Wordfence, WordPress 6.02 patches a severe vulnerability SQL injection vulnerability. However, it requires administrative rights to execute.
Wordfence identified the security flaw:
“The WordPress Link functionality, originally referred to as “Bookmarks,” has been removed and is now disabled by default on all new WordPress installations.
Older sites might still have this functionality, implying that millions of senior websites could be vulnerable even if they’re running the latest version of WordPress.
Fortunately, we have discovered that the vulnerability is a requirement for administrative privileges and is very difficult to exploit in standard configuration.”
The third and second security flaws are described as Stored-Cross-Site scripting, one of which is said not to impact WordPress, but the other is reported to affect the “vast” majority of WordPress publishers.
The Moment JavaScript The Date Library has been Updated
Another vulnerability was also fixed. However, it was not a component of the WordPress core. The exposure is in the JavaScript data library known as Moment, which WordPress utilizes.
The vulnerability of the JavaScript library has been assigned the CVE number. The CVE information about the vulnerability is available on the U.S. National Vulnerability Database. The vulnerability is described as the fix for a bug on WordPress.
What to Do
The update will roll out automatically to sites starting from version 3.7.
It is a good idea to confirm that the site is working correctly and that there aren’t any conflicts with the current theme and any installed plugins.