WordPress announces security update for two vulnerabilities
WordPress announced a security update to fix two vulnerabilities. These vulnerabilities could provide an attacker with the opportunity to stage a full site takeover.
Among the two vulnerabilities, the most serious one involves a stored cross site scripting or Stored XSS vulnerability, in which an attacker is able to upload a script directly to the WordPress website. The locations of these kinds of vulnerabilities are generally anywhere that the WordPress site allows input, like submitting a post or a contact form.
The second issue discovered is actually two problems that are both Prototype Pollution Vulnerabilities and is a flaw in the JavaScript or a JavaScript library, against the website. One is a Prototype Pollution Vulnerability discovered in the Gutenberg wordpress/url package. This is a module within WordPress that allows a WordPress website to manipulate URLs. The second one is a Prototype Pollution vulnerability in jQuery. This vulnerability is fixed in jQuery 2.2.3.
The Wordfence vulnerability analysis concluded: “An attacker successfully able to execute JavaScript in a victim’s browser could potentially take over a site, but the complexity of a practical attack is high and would likely require a separate vulnerable component to be installed.”
The latest version of WordPress, 5.9.2, fixes two security related issues and addresses and patches one bug that could result in an error message for sites using the Twenty Twenty-Two theme. The official WordPress announcement recommends that all publishers update their installation to WordPress version 5.9.2. If the website is not using version 5.9.2, then the next steps to consider are backing up the website itself and then updating to the latest versions.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.