Use WordPress? it just released its 6.02 security vulnerability update

by WarriorForum.com Administrator
4 replies
A new article on Search Engine Journal reports that WordPress just released a security and maintenance update to patch three vulnerabilities.



WordPress released an update containing bug fixes and security patches to address three vulnerabilities rated as severe to medium severity. The updates may have been downloaded and installed automatically, so it's essential to check if the website has indeed updated to 6.02 and if everything still functions normally.

Bug fixes

The update contains twelve fixes for the WordPress core and five for the block editor. One notable change is an improvement to the Pattern Directory, which is meant to help theme authors serve just the patterns related to their themes. The goal of this change is to make it more appealing for use by theme authors so that they use it and to present a better user experience to publishers.

"Many theme authors want to have all core and remote patterns disabled by default using remove_theme_support( 'core-block-patterns' ). This ensures they are serving only patterns relevant to their theme to customers/clients. This change will make the Pattern Directory more appealing/usable from the theme author's perspective."
Three Security Patches

The first vulnerability is described as a high severity SQL Injection vulnerability. A SQL injection vulnerability allows an attacker to query the database that underpins the website and add, view, delete or modify sensitive data.

According to a report by Wordfence, WordPress 6.02 patches a high severity vulnerability SQL injection vulnerability, but the vulnerability requires administrative privileges to be executed. Wordfence described this vulnerability:

"The WordPress Link functionality, previously known as "Bookmarks", is no longer enabled by default on new WordPress installations. Older sites may still have the functionality enabled, which means that millions of legacy sites are potentially vulnerable, even if they are running newer versions of WordPress. Fortunately, we found that the vulnerability requires administrative privileges and is difficult to exploit in a default configuration."
The second and third vulnerabilities are described as Stored Cross-Site Scripting, one of which is reported not to affect the "vast" majority of WordPress publishers. One more vulnerability was fixed, but it wasn't a part of WordPress core. This vulnerability is to a JavaScript data library called Moment that WordPress uses.

The vulnerability to the JavaScript library was assigned a CVE number, and details are available at the U.S. government National Vulnerability Database. It is documented as a bug fix at WordPress.

What To Do

The update should be rolling out automatically to sites from version 3.7. It may be helpful to verify if the site is functioning correctly and that there are no conflicts with the current theme and installed plugins.
#602 #released #security #update #vulnerability #wordpress
Avatar of Unregistered
  • Profile picture of the author ChristopherAndreas
    Banned
    I have been using WordPress for a long time. I like how it works. But have someone already try this new version? Please let me know!!!!!!
    {{ DiscussionBoard.errors[11726801].message }}
  • Profile picture of the author Swapna George
    I have not updated the WordPress yet. I will tell how it is after the update.
    {{ DiscussionBoard.errors[11727825].message }}
    • Profile picture of the author Ahmad Shabbir
      Banned
      [DELETED]
      {{ DiscussionBoard.errors[11728709].message }}
  • Profile picture of the author Swapna George
    You can see the WordPress update notification on the updates when you log into your account. All you have to do is to press the Update link.

    But before updating the WordPress, make sure you have the backup.
    {{ DiscussionBoard.errors[11728747].message }}
  • Profile picture of the author info linuxpanda
    The first vulnerability is described as a high severity SQL Injection vulnerability.

    A SQL injection vulnerability allows an attacker to query the database that underpins the website and add, view, delete or modify sensitive data.

    According to a report by Wordfence, WordPress 6.02 patches a high severity vulnerability SQL injection vulnerability, but the vulnerability requires administrative privileges to be executed.
    "The WordPress Link functionality, previously known as "Bookmarks", is no longer enabled by default on new WordPress installations.

    Older sites may still have the functionality enabled, which means that millions of legacy sites are potentially vulnerable, even if they are running newer versions of WordPress.

    Fortunately, we found that the vulnerability requires administrative privileges and is difficult to exploit in a default configuration.
    {{ DiscussionBoard.errors[11728977].message }}
  • Profile picture of the author Claire Koch
    i hate wp i cannot get over html i taught myself back in the day and love the code. I use it tho and always get hacked. Hope the stupid update works wonders because that hacking stuff is a pain in the bum
    {{ DiscussionBoard.errors[11729870].message }}
Avatar of Unregistered

Trending Topics