Critical XSS Vulnerability Found in WordPress - Urgent Update to Version 6.5.2 Advised

Critical XSS Vulnerability Found in WordPress - Urgent Update to Version 6.5.2 Advised

WordPress urgently advises updating to version 6.5.2 to address a critical XSS vulnerability. This security and maintenance release provides essential patches to safeguard your website from potential threats.

WordPress recently released the 6.5.2 Maintenance and Security Release update. This update addresses a security issue related to cross-site scripting in the store and resolves more than twelve bugs found in both the core system and the block editor. The vulnerability impacts both the WordPress core and the Gutenberg plugin.

Cross Site Scripting (XSS)

An XSS vulnerability was discovered in WordPress that could allow an attacker to inject scripts into a website that then attacks site visitors to those pages.

There are three types of XSS vulnerabilities, with reflected XSS and stored XSS being the most commonly found in WordPress plugins, themes, and WordPress itself.

Reflected XSS involves a victim having to click on a link, which adds an extra step and makes it more difficult to carry out this type of attack.

A stored XSS is a more concerning type of vulnerability as it enables attackers to upload a script onto a vulnerable website, which can then be used to attack visitors. The recently found vulnerability in WordPress is a stored XSS.

The risk is somewhat reduced in this case because it is an authenticated stored XSS. This means that the attacker must first obtain contributor-level permissions before they can exploit the flaw on the website that allows the vulnerability to exist.

This vulnerability is rated as a medium level threat, receiving a Common Vulnerability Scoring System (CVSS) score of 6.4 on a scale of 1 – 10.

Wordfence describes the vulnerability:

WordPress Core Vulnerability Alert: Stored Cross-Site Scripting via User Display Names

WordPress Core has been found vulnerable to Stored Cross-Site Scripting through user display names in the Avatar block. This security flaw exists in versions up to 6.5.2 due to inadequate output escaping on the display name. As a result, authenticated attackers with contributor-level access and above can inject arbitrary web scripts into pages. These scripts will then execute whenever a user accesses the injected page.

WordPress.org Urges Immediate Update

The official WordPress announcement suggests that users update their installations for security reasons. It is advised to update your sites right away. Backports are also available for other major WordPress releases, starting from version 6.1.

Read the Wordfence advisories:

WordPress Core < 6.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block

Gutenberg 12.9.0 – 18.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block

Read the official WordPress.org announcement:

WordPress 6.5.2 Maintenance and Security Release

Featured Image by Shutterstock/ivan_kislitsin

Editor's P/S:

The recent WordPress 6.5.2 update addresses a critical stored XSS vulnerability, highlighting the importance of regular security maintenance for websites. This