WordPress 6.5.5 Security Release: Essential Information for Website Owners

On June 24, 2023, WordPress Core 6.5.5 was released, addressing three significant security vulnerabilities. This release includes fixes for two Cross-Site Scripting (XSS) vulnerabilities and one Windows-specific Directory Traversal vulnerability. While these vulnerabilities are classified as medium-severity, they pose a substantial risk, particularly the XSS vulnerabilities, which could allow site takeover by an authenticated, contributor-level user. In this article, we will explore the details of these vulnerabilities, the impact on your website, and the steps you need to take to ensure your site remains secure.

Table of Contents

1. Overview of the Security Release
2. Detailed Analysis of Vulnerabilities
   • Contributor+ Stored Cross-Site Scripting in the HTML API
   • Contributor+ Stored Cross-Site Scripting in the Template Part Block
   • Windows-only Directory Traversal
3. Steps to Secure Your Website
4. Key Takeaways
5. Conclusion

Overview of the Security Release

WordPress Core 6.5.5 was released to address three medium-severity vulnerabilities:

• Two Cross-Site Scripting (XSS) vulnerabilities
• One Windows-specific Directory Traversal vulnerability

Despite their medium-severity classification, these vulnerabilities could potentially allow an authenticated, contributor-level user to take over a site if successfully exploited.

Detailed Analysis of Vulnerabilities

Contributor+ Stored Cross-Site Scripting in the HTML API

• Description: Authenticated (Contributor+) Stored Cross-Site Scripting via HTML API
• Affected Versions: WordPress Core < 6.5.5
• Researchers: Alex Concha, Dennis Snell, Grzegorz Ziółkowski, Aaron Jorbin
• CVSS Score: 6.4 (Medium)
• CVSS Vector: CVSS:3.1/AV/AC/PR

  /UI

  /S

  /C

  /I

  /A

• Fully Patched Version: 6.5.5

WordPress Core versions up to 6.5.5 are vulnerable to Stored Cross-Site Scripting (XSS) via the HTML API due to insufficient input sanitization and output escaping on URLs. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page.

Technical Changes in WordPress 6.5.5:

• Additional protections in the set_attribute() function of the HTML API to further escape URL attributes.
• Improvements in sanitization and escaping mechanisms to prevent XSS attacks.

Contributor+ Stored Cross-Site Scripting in the Template Part Block

• Description: Authenticated (Contributor+) Stored Cross-Site Scripting via Template Part Block
• Affected Versions: WordPress Core < 6.5.5
• Researcher: Rafie Muhammad (Patchstack)
• CVSS Score: 6.4 (Medium)
• CVSS Vector: CVSS:3.1/AV/AC/PR

  /UI

  /S

  /C

  /I

  /A

• Fully Patched Version: 6.5.5

WordPress Core versions up to 6.5.5 are vulnerable to Stored Cross-Site Scripting (XSS) via the Template Part block due to insufficient input sanitization and output escaping on the ‘tagName’ attributes. This vulnerability allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages, which will execute whenever a user accesses an injected page.

Technical Changes in WordPress 6.5.5:

• Additional sanitization to the Template Part block’s ‘tagName’ attribute.
• Enhanced security measures to prevent XSS attacks through the Template Part block.

Windows-only Directory Traversal

• Description: Authenticated (Contributor+) Directory Traversal
• Affected Versions: WordPress Core < 6.5.5
• Researchers: apple502j, Rafie Muhammad (Patchstack), Edouard L, David Fifield, x89, mishre
• CVSS Score: 4.3 (Medium)
• CVSS Vector: CVSS:3.1/AV/AC/PR

  /UI

  /S

  /C

  /I

  /A

• Fully Patched Version: 6.5.5

WordPress Core versions up to 6.5.5 are vulnerable to Directory Traversal via the Template Part block. This vulnerability allows authenticated attackers with contributor-level access and above to include arbitrary HTML files on sites running Windows.

Technical Changes in WordPress 6.5.5:

• Addition of a path normalization function within the validate_file() function to prevent Directory Traversal attacks.

Steps to Secure Your Website

1. Verify Automatic Updates: Ensure your site has been automatically updated to one of the patched versions. WordPress supports automatic core updates for security releases since version 3.7.
2. Manual Update: If your site has not been updated automatically, update manually to the latest patched version immediately.
3. Security Audit: Perform a comprehensive security audit to identify any other potential vulnerabilities.
4. Monitor Updates: Keep an eye on updates from the WordPress security team and promptly apply any new patches.

Key Takeaways

• Importance of Updates: Regularly updating WordPress and its plugins is crucial for maintaining website security.
• Medium-Severity Vulnerabilities: Although classified as medium-severity, the vulnerabilities addressed in WordPress 6.5.5 can lead to severe consequences if exploited.
• Proactive Measures: Conduct regular security audits and monitor for updates to stay ahead of potential threats.

Conclusion

The WordPress 6.5.5 security release addresses critical vulnerabilities that could potentially lead to site takeovers by low-privileged users. By ensuring your site is updated to the latest patched version, you can protect your website from these threats. Stay vigilant and proactive in maintaining your website’s security to safeguard your digital assets.