WordPress Vulnerability Report #13 – September 2019

September marked the release of WordPress Security and Maintenace Release 5.2.3. The update has fixed several vulnerabilities in the core platform, affecting mostly the 5.2.2 build, but in some cases older versions, up to the first WordPress release. Security experts have identified 5 Cross-Site Scripting vulnerabilities and a possible redirect to malicious websites within the core of the platform. The 13th issue of WordPress Vulnerability Report is here to give you a better idea of how these loopholes could affect your website.

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.

In this issue:

  • WordPress 5.2.2 - Cross-Site Scripting (XSS) in Comments
  • WordPress 5.2.2 - Authenticated Cross-Site Scripting in Post Previews
  • WordPress 5.2.2 - Potential Open Redirect
  • WordPress 1.0-5.2.2 - Cross-Site Scripting in URL Sanitisation
  • WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews
  • WordPress 5.2.2 - Cross-Site Scripting in Dashboard

Our goal is to make the Web secure and transparent for everyone. If you have questions regarding our report, don’t hesitate to contact us.

We also offer professional security monitoring – including plugin monitoring, offsite backups, and much more. Learn more about our WordPress security and maintenance services and subscribe to our newsletter for monthly updates on WordPress vulnerabilities.


Secure business website – WordPress core and plugin vulnerabilities

Learn why we launched the WordPress Vulnerability Report in the video message from our Technical Director, Tomasz Lisiecki.

If you’re looking for more information please read our introductory article.

WordPress 5.2.2 - Cross-Site Scripting (XSS) in Comments!

Problem
Admins performing specific actions on a malicious comment can cause execution of a malicious script.
Is it safe?
A vague description of the fix made it harder to identify the issue. However, looking at the code changes, this doesn't seem to be easily exploitable. Viewing the comment alone shouldn't execute the code and most likely it would require an admin to edit the comment and then for someone (the admin or another user) to interact with a malicious URL.
Our recommendation
Upgrade to the WordPress Security and Maintenance Release 5.2.3 as soon as possible.

WordPress 5.2.2 - Authenticated Cross-Site Scripting in Post Previews!

Problem
Rather than using safe values from a database, the post status field pulls its value from the dropdown items.
Is it safe?
An attacker with access to a contributor's account could create their own dropdown value and use it to execute malicious scripts, potentially leading to a full website takeover.
Our recommendation
Upgrade to the WordPress Security and Maintenance Release 5.2.3 as soon as possible.

WordPress 5.2.2 - Potential Open Redirect!

Problem
A bug in one of the WordPress functions allows bypassing URL validation.
Is it safe?
The attacker can create malicious redirects using URL parameters, exposing the visitors to attacks from other websites or performing a phishing attack.
Our recommendation
Upgrade to the WordPress Security and Maintenance Release 5.2.3 as soon as possible.

WordPress 1.0-5.2.2 - Cross-Site Scripting in URL Sanitisation!

Problem
The validation and sanitisation issue also allows for potential XSS attacks.
Is it safe?
Attackers could craft links to your website that are appended with malicious script. The code would execute after someone interacts with the link.
Our recommendation
Upgrade to the WordPress Security and Maintenance Release 5.2.3 as soon as possible.

WordPress 5.0-5.2.2 - Authenticated Stored XSS in Shortcode Previews!

Problem
It's possible to insert a code into a shortcode that would enable an XSS attack.
Is it safe?
Using the vulnerability requires shortcode edition privilege. When injected with a malicious script, previewing the shortcode can execute the code and lower-privileged attacker could perform actions as the target user.
Our recommendation
Upgrade to the WordPress Security and Maintenance Release 5.2.3 as soon as possible.

WordPress 5.2.2 - Cross-Site Scripting in Dashboard!

Problem
We know very little about the nature of this vulnerability, as it was discovered by a WordPress security team member.
Is it safe?
From what we understand, this works similarly to the URL vulnerabilities. The attacker can forge a link to your own WordPress dashboard and execute a script in your dashboard. This could create an admin account for the attacker or cause several malicious actions.
Our recommendation
Upgrade to the WordPress Security and Maintenance Release 5.2.3 as soon as possible.

Got Something To Share?

Your email address will not be published. Required fields are marked *