
WordPress 6.3.2 security update for 8 vulnerabilities
WordPress announced the release of a maintenance and security release that addresses several vulnerabilities, including one that could lead to a full takeover of the site.
Maintenance and security version WordPress 6.3.2
WordPress 6.3.2 delivers 41 bug fixes, but more importantly, it includes patches for eight vulnerabilities.
The following eight vulnerabilities were recently discovered and fixed:
- A vulnerability in WordPress core that allows arbitrary shortcode execution
- Possible exposure of user email addresses by unauthenticated hackers
- Vulnerability in POP chains for remote code execution
- Cross-site scripting (XSS) vulnerability in post link navigation block
- Leaked visibility of comments on private posts
- Reflected cross-site scripting (XSS) vulnerability in application password screen
- Cross-site scripting (XSS) vulnerability in the footnote block
- Cache poisoning denial of service (DoS) vulnerability.
Some of the vulnerabilities are due to inadequate input sanitization, meaning submitted data does not filter out malicious input.
The official WordPress input sanitization developer page informs:
“Untrusted data comes from many sources (users, third-party websites, even your own database!) and all must be verified before use.
Cleaning input involves backing up, cleaning, and filtering input data.
Validation is preferred over remediation because validation is more specific.
But if “more accurate” isn’t possible, disinfection is the next best solution.”
All vulnerabilities are rated as medium severity, including patches for five medium severity issues.
A note released by Wordfence on the latest security release notes that at least one of the vulnerabilities contained the potential for a complete takeover of the website.
WordPress recommends that all users check whether their WordPress installations are updated to the latest version, WordPress version 6.3.2.
According to the official WordPress announcement:
“As this is a security release, it is recommended that you update your websites immediately.
Backports are also available for other major WordPress versions, 4.1 and above.”
Read the official WordPress security release announcement:
WordPress 6.3.2 – Maintenance and security release
Featured image from Shutterstock/Light_Lenser