WordPress 5.2.3 Patches Several XSS Vulnerabilities


On Thursday, developers of WordPress announced that version 5.2.3, a maintenance and safety release with 29 fixes and improvements, along with several security patches, would be available.

With regard to safety, WordPress 5.2.3 mainly patches the vulnerabilities of cross-site scripting (XSS). Simon Scannell of RIPS Technologies revealed two of them, including XSS bugs in post previews and stored remarks.

Two other WordPress vulnerabilities (wordpress site hacked redirecting to another site) have been revealed to RIPS earlier this year, both of which can be used for remote code execution.

WordPress developers also credited Anshul Jain with a reflected XSS bug for media uploads, Fortinet’s Zhouyuan Yang for XSS shortcode previews, and the NCC Group’s Soroush Dalili for a URL sanitization problem that could result in XSS assaults.

In the dashboard, Ian Dunn of the core security team of WordPress discovered a reflected XSS vulnerability.

The owners and administrators of WordPress website were also advised that jQuery was updated to older CMS variants. Previous jQuery variants have a flaw that enables for XSS attacks.

Websites supporting automatic updates may have been updated already. Site administrators who are not automatically updated can manually update their WordPress dashboard from the updates section.

While some attacks have leveraged WordPress flaws themselves, a major number of activities exploit vulnerability on common plugins. Web sites are often targeted by malicious performers.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.