Welcome back to the Patchstack Weekly Security Update! This update is for week 36 of 2022.
This week, I will be giving an unofficial WordPress Security Release announcement discussing the changes I found in the recent 6.0.2 release. And dig into the risks or lack thereof posed by these security bugs that were patched in WordPress core.
I will also remind people about WordCamp US coming up next week!
In this week's vulnerability roundup I will cover that WordPress core security release as well as one plugin with multiple SQL injection security bugs patched in it recently.
Unofficial WordPress 6.0.2 Security Release Announcement
WordPress 6.0.2 was made available on August 30th, 2022, and addresses three security bugs. This security release was backported all the way back to WordPress version 3.7! You can read the official announcement on WordPress.org but I would like to share some notes I made after doing a quick review of this release.
The three security bugs patched have been reported as a medium to high severity rating by third parties, the official from WordPress.org release notes provided no severity rating. There are also no proof of concepts (or exploitation steps) nor any reports of these bugs actively targeted in the wild. This is because the security bugs were reported and handled through WordPress.org's official Bug Bounty program … as well as one WordPress security team member, John Blackbourn who at this time is sponsored by Human Made.
But, back to the vulnerabilities which are what site owners are more concerned about. There were three security bugs which can be classified as XSS, Stored XSS, and SQL Injection. Each of these security bugs has special conditions required to weaponize them, such as authentication or a requirement about how a plugin or theme mishandles user-inputted data.
Simply put, the sky is not falling and your site is safe. You should patch of course, but you do not need to worry or rush to patch.
For starters, authentication is required for the XSS security bugs to be exploitable. If you trust your website's users not to exploit or attack your website, then these security bugs pose no immediate threat. If you do not fully trust your users, if they have a sort of suspicious air around them, then you may want to push this update soon (or reconsider who you give access to). And, to cover all my bases, if you are the only person with an account on your WordPress website, then I hope you trust yourself.
This requirement of authentication to target these security bugs weighs heavily on reducing the severity score.
But wait, there is more... to not be worried about.
The conditions required for the most severe sounding of these three bugs, an SQL Injection, are outside of the attacker's control. While WordPress core contains the patch, it does not contain vulnerable code. This may sound odd but think of it this way. In order for a site to be vulnerable, a plugin or theme would have to be introducing the vulnerable code that mishandles user input allowing it to be sent through to the core function that was just patched. This fact further reduces the worry you may feel about seeing this security release.
The good news is that WordPress core is patching security bugs with esoteric and unlikely requirements. This means that the more serious bugs - the sort of bugs that really should scare you and keep webmasters up at night - probably do not exist. There is no reason to be afraid because your WordPress sites are safe.
Patch your WordPress websites though! I like to say: keep on patchin' but don't be worrying. You can apply the 6.0.2 patch or one of the backported releases to your WordPress website when it is convenient for you in this case.
WordCamp US coming up
For those of you out there heading to WordCamp US in San Diego next week. I look forward to meeting you and the many other friends and neighbors in the WordPress community. If you will be attending, please say "hello" if you spot me in the crowd, and I hope you can check out my workshop about Making Security Simple for Plugin and Theme Developers which is scheduled for late Saturday.
Vulnerability roundup
zephyr-project-manager - Multiple Unauthenticated SQL Injection
The proof of concept is scheduled to be released publicly on September 12th, so that is your Time to Patch deadline unless you have Patchstack App's vPatching solution set up already.
WordPress Core 6.0.2 Security Release
These three security bugs were the topic of this week's knowledge share, but you can read more about these at the following links:
- WordPress 6.0.2 Official Release Announcement
- WordPress <= 6.0.1 - Authenticated Cross-Site Scripting (XSS)
- WordPress <= 6.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
- WordPress <= 6.0.1 - Authenticated SQL Injection (SQLi) vulnerability via Link API
Thanks and appreciation
This week's thanks go out to the security researchers who found and reported the security bugs in WordPress core.
Fariskhi Vidyan for reporting the SQL injection possibility
Khalilov Moe for reporting an XSS vulnerability in the plugins screen.
John Blackbourn for reporting an output escaping issue in the_meta()
A special thank you is extended to the WordPress contributors who wrote the patches to secure WordPress websites from these security bugs.
I will be at WordCamp US next week, so you can expect a short delay until the next Patchstack Weekly Security Update.
