A new WordPress security release was announced today. On October 17th, 2022 WordPress Core released version 6.0.3 a security only release. This release includes a substantial number of security bug patches, so I will be reviewing them and sharing the details with you in this post.
All security releases are important. You may want to schedule updating your WordPress installations soon but the good news is there are no high or critical risk security bugs patched in this release. There is no need to drop everything to apply this patch today, but it would be best to put aside some time in your calendar soon.
The highest severity risk any of these security bugs posed was "Medium". Many of the bugs patched are "Low" severity as they require authentication to perform as an attack and have limited impact.
The highest risk bugs are related to an open redirect, leaked tag or term values in unpublished posts, or authenticated XSS. I have written more details for each below in the "breakdown of patched bugs" section.
This security release came about with the help of 11+ security researchers and 28+ of WordPress.org volunteers and developers. Now, it is up to the over 450+ million WordPress site owners to do their part and apply the patch.
Patches have been back-ported. Every Major WordPress release back to 3.7 received new minor version today which includes patches to address these security bugs. This is an astonishing 9 years of support for the 3.7 branch. Which, is about to come to an end. In just over a month, on December 1st 2022, back-ported security patches will only go back to version 4.1 of WordPress. If you are running WordPress 3.7 to 4.0 you will need to update your sites to a supporter Major release (4.1 or higher) to continue receiving security patches.
I have provided brief summaries of the security bugs patches and included a CVSS severity score for each.
These two security bugs appear to have the highest risks. They require no authorization and could be weaponized as attacks against default WordPress configurations.
The good news is, a successful attack would have a very limited impact. Open redirects require tricking a user and a post's tags and terms values may be inconsequential if leaked before being published.
Two of the patched security bugs are related to wp-mail.php. They only affect WordPress sites with the "Post via email" setting enabled and configured. Default WordPress installations do not have "Post via email" configured.
You can check if the "Post via email" is enabled via the "Settings > Writing" page in wp-admin and look under the "Post via email" section.
If you do have "Post via email" configured, then you will want to update to the 6.0.3 security release ASAP. The risks related to this could include the leaking of e-mail addresses and possibly allowing authors to post arbitrary HTML (XSS payloads) in their e-mail based posts.
All of the Gutenberg security bug patches can be summarized as improved security hardening for the editor. Each requires authentication as a user with authorization to edit or add posts in WordPress (e.g.. access level high enough to use the Gutenberg editor), these bug patches improved data sanitization for each bug's respective block type.
The 6.0.3 Security Release of WordPress addresses a large number of security bugs, but the severity is only as high as the bug patched with the highest risk. Which, is only "Medium". It is important to patch, but none of these bugs pose an emergency-level risk.
A thank you is in order for the WordPress.org team and security researchers who have contributed their findings. Patching over a dozen security bugs in one release shows us how much work is being done toward securing the open-source WordPress project.
Site owners should patch soon, but they need not rush. You can wait for when the time is convenient as there is likely no emergency for an average WordPress site owner. There is one security bug patched that could be weaponized quickly however the risk it poses is likely inconsequential unless your unpublished post's terms and tags are (for some reason) highly sensitive.
This may be the last security release that will include back-ported security patches for older versions of WordPress (before 4.1.) The WordPress.org team announced they will be Dropping security updates for WordPress versions 3.7 through 4.0 in September, giving site owners a precious few months to update to WordPress 4.1 or higher.