WordPress 5.2.3 fixes multiple issues, including some severe XSS flaws

The WordPress development team released version 5.2.3 that includes 29 fixes, enhancements, and several security patches.

WordPress developers released a security and maintenance version 5.2.3 that includes 29 fixes, several enhancements and security patches.

These flaws affect the versions 5.2.2 and earlier of the popular CMS.

Most of the security flaws addressed with the release of the version 5.2.3 are cross-site scripting (XSS) issues.

The development team credited Simon Scannell of RIPS Technologies for two of the flaws addressed with the new version.

“This security and maintenance release features 29 fixes and enhancements. Plus, it adds a number of security fixes” reads the security advisory published by WordPress.

“These bugs affect WordPress versions 5.2.2 and earlier; version 5.2.3 fixes them, so you’ll want to upgrade.”

In March, RIPS disclosed two XSS flaws, a first one affecting post previews by contributors, the second one in stored comments. RIPS experts also reported other flaws that can be exploited for remote code execution.

The first one was a CSRF vulnerability in WordPress reported by Simon Scannell that could potentially lead to remote code execution attacks. The other issue disclosed by RIPS Technologies is a critical remote code execution vulnerability in versions of WordPress prior
5.0.3, that remained uncovered for 6 years.

The flaw could be exploited by an attacker who gains access to an account with at least ‘author‘ privileges on a WordPress install to execute arbitrary PHP code on the underlying server.

WordPress credited Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect, Anshul Jain for disclosing reflected cross-site scripting during media uploads, Zhouyuan Yang of Fortinet’s FortiGuard Labs for disclosing an XSS vulnerability in shortcode previews, Ian Dunn from Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard, and Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.

The security advisory is also informing admins that the WordPress development team is also updating jQuery on older versions of WordPress. The change was introduced in version 5.2.1 and is now being extended to older versions.

The change aims at protecting WordPress users from XSS attacks exploiting a flaw in previous versions of jQuery.

As usual, websites that support automatic updates may have already been updated. The administrators of websites for some reasons have disabled automatic updates can do it from the Updates section of their WordPress dashboard.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Security, XSS)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.