WordPress 5.4.2 Patches Multiple XSS Vulnerabilities
WordPress Core version 5.4.2 has just been released. Since this release is marked as a combined security and bug fix update, we recommend updating as soon as possible. With that said, most of the security fixes themselves are for vulnerabilities that would require specific circumstances to exploit. All in all this release contains 6 security fixes, 3 of which are for XSS (Cross-Site Scripting) vulnerabilities. Both the free and Premium versions of Wordence have robust built-in XSS protection which will protect against potential exploitation of these vulnerabilities.
A Breakdown of each security issue
An XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor
This flaw would have made it possible for an attacker to inject JavaScript into a post by manipulating the attributes of Embedded iFrames. This would be exploitable by users with the edit_posts
capability, meaning users with the Contributor role or higher in most configurations.
The changeset in question is:
https://core.trac.wordpress.org/changeset/47947/
This issue was discovered and reported by Sam Thomas (jazzy2fives)
An XSS issue where authenticated users with upload permissions are able to add JavaScript to media files
This flaw would have made it possible for an attacker to inject JavaScript into the “Description” field of an uploaded media file. This would be exploitable by users with the upload_files
capability, meaning users with the Author role or higher in most configurations.
The changeset in question is:
https://core.trac.wordpress.org/changeset/47948/
This issue was discovered and reported by Luigi – (gubello.me)
An open redirect issue in wp_validate_redirect()
For this flaw, the wp_validate_redirect
function failed to sufficiently sanitize URLs supplied to it. As such it would have been possible under certain circumstances for an attacker to craft a link to an impacted site that would redirect visitors to a malicious external site. This would not require specific capabilities, but it would typically require either social engineering or a separate vulnerability in a plugin or theme to exploit.
The changeset in question is:
https://core.trac.wordpress.org/changeset/47949/
This issue was discovered and reported by Ben Bidner of the WordPress Security Team.
An authenticated XSS issue via theme uploads
This flaw would have made it possible for an attacker to inject JavaScript into the stylesheet name of a broken theme, which would then be executed if another user visited the Appearance->Themes page on the site. This would be exploitable by users with the install_themes
or edit_themes
capabilities, which are only available to administrators in most configurations.
The changeset in question is:
https://core.trac.wordpress.org/changeset/47950/
This issue was discovered and reported by Nrimo Ing Pandum
An issue where set-screen-option
can be misused by plugins leading to privilege escalation
For this flaw, a plugin incorrectly using the set-screen-option
filter to save arbitrary or sensitive options could potentially be used by an attacker to gain administrative access. We are not currently aware of any plugins that are vulnerable to this issue.
The changeset in question is:
https://core.trac.wordpress.org/changeset/47951/
This issue was discovered and reported by Simon Scannell of RIPS Technologies
An issue where comments from password-protected posts and pages could be displayed under certain conditions
For this flaw, comment excerpts on password-protected posts could have been visible on sites displaying the “Recent Comments” widget or using a plugin or theme with similar functionality.
The changeset in question is:
https://core.trac.wordpress.org/changeset/47984/
This issue was discovered and reported by Carolina Nymark
Note: This is unrelated to an issue where unmoderated spam comments were briefly visible and indexable by search engines.
What should I do?
Most of these vulnerabilities appear to be exploitable only under limited circumstances or by trusted users, but we recommend updating as soon as possible. Attackers may find ways to exploit them more easily, or the researchers who discovered these vulnerabilities may publish Proof of Concept code that allows simpler exploitation. This is a minor WordPress release, so most sites will automatically update to the new version.
Conclusion
We’d like to thank the WordPress core team and the researchers who discovered and responsibly reported these vulnerabilities for making WordPress safer for everyone.
You can find the official announcement of the WP 5.4.2 release on this page. If you have any questions or comments, please don’t hesitate to post them below and we’ll do our best to answer them in a timely manner. If you are one of the researchers whose work is included above and would like to provide additional detail or corrections, we welcome your comments.
Special thanks to QA Lead Matt Rusnak for helping to identify the changesets associated with these fixes.
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.
Comments
2:40 pm
Getting these notices about any vulnerabilities from an updated site is frustrating for me.
How am I supposed to be sure the site is safe without understanding all the tech jargon? I would hardly know what to do? As i said, frustrating.
Thanks,
Patty
9:33 am
Hi Patricia! It can be a bit overwhelming. Keep your themes, plugins, and core updated, remove any plugins you're no longer using (don't just deactivate, actually delete them), make sure you only have one site in your cpanel/FTP account, and use Wordfence. You'll be good to go. And if you're a Wordfence Premium customer, our team is here to support you and answer any questions you have at https://support.wordfence.com.