WordPress Releases New Security Vulnerability Update

Almost like they read our article about WordPress Malicious Plugins. WordPress Releases New Security Vulnerability Update containing bug fixes and security patches to address three vulnerabilities rated as severe to medium severity.

The updates may have been downloaded and installed automatically, so it’s essential to check if the website has indeed updated to 6.02 and if everything still functions normally.

More WordPress News: Read Now

Bug Fixes

The update contains twelve fixes for the WordPress core and five for the block editor.

One notable change is an improvement to the Pattern Directory, which is meant to help theme authors serve just the patterns related to their themes.

The goal of this change is to make it more appealing for use by theme authors so that they use it and to present a better user experience to publishers.

“Many theme authors want to have all core and remote patterns disabled by default using remove_theme_support( ‘core-block-patterns’ ). This ensures they are serving only patterns relevant to their theme to customers/clients.

This change will make the Pattern Directory more appealing/usable from the theme author’s perspective.”

WordPress Releases New Security Vulnerability Update

Three Security Patches

The first vulnerability is described as a high severity SQL Injection vulnerability.

A SQL injection vulnerability allows an attacker to query the database that underpins the website and add, view, delete or modify sensitive data.

According to a report by Wordfence, WordPress 6.02 patches a high severity vulnerability SQL injection vulnerability, but the vulnerability requires administrative privileges to be executed.

Wordfence described this vulnerability:

“The WordPress Link functionality, previously known as “Bookmarks”, is no longer enabled by default on new WordPress installations.

Older sites may still have the functionality enabled, which means that millions of legacy sites are potentially vulnerable, even if they are running newer versions of WordPress.

Fortunately, we found that the vulnerability requires administrative privileges and is difficult to exploit in a default configuration.”

The second and third vulnerabilities are described as Stored Cross-Site Scripting, one of which is reported not to affect the “vast” majority of WordPress publishers.

Moment JavaScript Date Library Updated

One more vulnerability was fixed, but it wasn’t a part of WordPress core. This vulnerability is to a JavaScript data library called Moment that WordPress uses.

The vulnerability to the JavaScript library was assigned a CVE number, and details are available at the U.S. government National Vulnerability Database. It is documented as a bug fix at WordPress.

What To Do

The update should be rolling out automatically to sites from version 3.7.

It may be helpful to verify if the site is functioning correctly and that there are no conflicts with the current theme and installed plugins.

And remember, DO YOUR UPDATES!

nerd of fortune, very handsome

I am the Nerd of Fortune. I have been hustling from home (part-time) for about 15 years & working exclusively from home for several years – and loving it! I am a firm believer in making ‘working from home’ a success for everyone…

Post Author: