Numerous bugs, most of them identified as cross-site scripting (XSS) flaws, have been patched with version 5.4.1 in WordPress this week.
WordPress 5.4.1, a short cycle security and maintenance update, fixes 17 bugs and seven vulnerabilities affecting 5.4 and earlier versions. The developers of WordPress suggested that all versions older than 3.7 were patched.
WordPress Security company Defiant has released a blog post that explains each of the patched vulnerabilities.
One of the drawbacks is that password reset tokens are not correctly disabled. Specifically, if the user manually changes his password from their accounts, password reset links sent via email will remain correct. Nonetheless, to circumvent this, an attacker requires access to the email account of the victim, and the reset password connection remains intact.
Another fault allowed a non-authenticated intruder to access individual posts by querying date and time. They should also know the exact time — before the second time — of the targeted protected message.
The other vulnerabilities were identified as XSS issues involving customizers, search blocks, object cache, and file uploads. However, it requires authentication or access to the targeted device, which ensures that malicious actors can only exploit them if paired with other vulnerabilities or attacks (e.g., the phishing of user credentials).
WordPress developers said that the block editor was also affected by an XSS bug that an authenticated attacker may have exploited. Nonetheless, this issue has been established and remedied by release candidates and has never become stable.
For WordPress websites that accept automatic updates, version 5.4.1 should already be updated. Additional users were encouraged to download the new edition of WordPress on their official website or dashboard.
Users must install the latest updates on WordPress sites, which remain highly targeted by malicious actors. However, a lot of attacks use vulnerabilities in plugins and themes instead of the heart of WordPress.