![]() ![]() Most of the other issues fixed today are similar in that they require specific configurations or circumstances, such as other vulnerable plugins, to impactfully exploit. ![]() The Wordfence firewall’s built-in directory traversal protection should block attempts to exploit the directory traversal vulnerability, and it would typically only be impactful when exploited by a skilled attacker in certain configurations. Most actively used WordPress sites should be patched via automatic updates within the next 24 hours. In today’s article, we covered five vulnerabilities patched in the WordPress 6.2.1 Security and Maintenance Release. While this is likely to have minimal impact on its own, it can significantly increase the severity and exploitability of other vulnerabilities. This could allow unauthenticated attackers to execute shortcodes via submitting comments or other content, allowing them to exploit vulnerabilities that typically require Subscriber or Contributor-level permissions. WordPress Core processes shortcodes in user-generated content on block themes in versions up to, and including, 6.2. If your site has not been updated automatically we strongly recommend updating manually as soon as possible, as one of the vulnerabilities patched in this release can be used by an attacker with a low-privileged contributor-level account to take over a site.Īs with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.ĭescription: WordPress Core <= 6.2 – Shortcode Execution in User Generated ContentĪffected Versions: WordPress Core < 6.2.1ĬVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Patched versions are available for every major version of WordPress since 4.1, so you can update without risking compatibility issues. We recommend verifying that your site has been automatically updated to one of the patched versions. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. These patches have been backported to every version of WordPress since 4.1. On May 16, 2023, the WordPress core team released WordPress 6.2.1, which contains patches for 5 vulnerabilities, including a Medium Severity Directory Traversal vulnerability, a Medium-Severity Cross-Site Scripting vulnerability, and several lower-severity vulnerabilities. WordPress Core 6.2.1 Security & Maintenance Release – What You Need to Know ![]()
0 Comments
Leave a Reply. |