WordPress Releases 6.02 Security Vulnerability Update

WordPress released an update containing bug fixes and security patches to address three vulnerabilities rated as severe to medium severity.

The updates may have been downloaded and installed automatically, so it’s essential to check if the website has indeed updated to 6.02 and if everything still functions normally.

Bug Fixes

The update contains twelve fixes for the WordPress core and five for the block editor.

One notable change is an improvement to the Pattern Directory, which is meant to help theme authors serve just the patterns related to their themes.

The goal of this change is to make it more appealing for use by theme authors so that they use it and to present a better user experience to publishers.

“Many theme authors want to have all core and remote patterns disabled by default using remove_theme_support( ‘core-block-patterns’ ). This ensures they are serving only patterns relevant to their theme to customers/clients.

This change will make the Pattern Directory more appealing/usable from the theme author’s perspective.”

Three Security Patches

The first vulnerability is described as a high severity SQL Injection vulnerability.

A SQL injection vulnerability allows an attacker to query the database that underpins the website and add, view, delete or modify sensitive data.

According to a report by Wordfence, WordPress 6.02 patches a high severity vulnerability SQL injection vulnerability, but the vulnerability requires administrative privileges to be executed.

Wordfence described this vulnerability:

“The WordPress Link functionality, previously known as “Bookmarks”, is no longer enabled by default on new WordPress installations.

Older sites may still have the functionality enabled, which means that millions of legacy sites are potentially vulnerable, even if they are running newer versions of WordPress.

Fortunately, we found that the vulnerability requires administrative privileges and is difficult to exploit in a default configuration.”

The second and third vulnerabilities are described as Stored Cross-Site Scripting, one of which is reported not to affect the “vast” majority of WordPress publishers.

Moment JavaScript Date Library Updated

One more vulnerability was fixed, but it wasn’t a part of WordPress core. This vulnerability is to a JavaScript data library called Moment that WordPress uses.

The vulnerability to the JavaScript library was assigned a CVE number, and details are available at the U.S. government National Vulnerability Database. It is documented as a bug fix at WordPress.

What To Do

The update should be rolling out automatically to sites from version 3.7.

It may be helpful to verify if the site is functioning correctly and that there are no conflicts with the current theme and installed plugins.

Citations

WordPress Core 6.0.2 Security & Maintenance Release – What You Need to Know

Allow remote pattern registration in theme.json when core patterns are disabled.

Featured image by Shutterstock/Krakenimages.com