Summary
A new WordPress security release was announced today. On October 17th, 2022 WordPress Core released version 6.0.3 a security only release. This release includes a substantial number of security bug patches, so I will be reviewing them and sharing the details with you in this post.
All security releases are important. You may want to schedule updating your WordPress installations soon but the good news is there are no high or critical risk security bugs patched in this release. There is no need to drop everything to apply this patch today, but it would be best to put aside some time in your calendar soon.
The highest severity risk any of these security bugs posed was “Medium”. Many of the bugs patched are “Low” severity as they require authentication to perform as an attack and have limited impact.
The highest risk bugs are related to an open redirect, leaked tag or term values in unpublished posts, or authenticated XSS. I have written more details for each below in the “breakdown of patched bugs” section.
This security release came about with the help of 11+ security researchers and 28+ of WordPress.org volunteers and developers. Now, it is up to the over 450+ million WordPress site owners to do their part and apply the patch.
Patches have been back-ported. Every Major WordPress release back to 3.7 received new minor version today which includes patches to address these security bugs. This is an astonishing 9 years of support for the 3.7 branch. Which, is about to come to an end. In just over a month, on December 1st 2022, back-ported security patches will only go back to version 4.1 of WordPress. If you are running WordPress 3.7 to 4.0 you will need to update your sites to a supporter Major release (4.1 or higher) to continue receiving security patches.
Breakdown of patched bugs
I have provided brief summaries of the security bugs patches and included a CVSS severity score for each.
The highest risk security bugs.
These two security bugs appear to have the highest risks. They require no authorization and could be weaponized as attacks against default WordPress configurations.
The good news is, a successful attack would have a very limited impact. Open redirects require tricking a user and a post’s tags and terms values may be inconsequential if leaked before being published.
- Open redirect in wp_nonce_ays
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N — 4.3 (Medium)
Secures against an open redirect risk which could allow an attacker to provide a link to the WordPress website’s domain name, but could redirect to another URL of the attacker’s choice. This could be used in tandem with phishing attacks. - REST endpoint could return terms or tags in non-public posts
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N — 5.3 (Medium)
Stops WordPress REST endpoints from returning values of unpublished post’s terms or tags. This could result in unauthenticated users retreiving an unpublished post’s terms or tag values, but not the post’s content.
Post via email bugs.
Two of the patched security bugs are related to wp-mail.php. They only affect WordPress sites with the “Post via email” setting enabled and configured. Default WordPress installations do not have “Post via email” configured.
You can check if the “Post via email” is enabled via the “Settings > Writing” page in wp-admin and look under the “Post via email” section.
If you do have “Post via email” configured, then you will want to update to the 6.0.3 security release ASAP. The risks related to this could include the leaking of e-mail addresses and possibly allowing authors to post arbitrary HTML (XSS payloads) in their e-mail based posts.
- Stored XSS via wp-mail.php
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N — 3.7 (Low)
Improves security of the Mailbox writing feature in WordPress to prevent lower authorization users from posting arbitrary HTML (e.g.. XSS) when they would normally not be allowed to. - Senders email address can be exposed via wp-mail.php
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N — 3.1 (Low)
Improves privacy and prevents data leakage of the sender’s email address by no longer outputting the author’s email address in wp-mail.php, which may be publicly accessible to any visitor if a site has enabled and configured “Post via email” in Settings > Writing.
Cross-site scripting (XSS.)
- Reflected XSS via SQLi in Media Library
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N — 2.6 (Low)
This security bug patch addresses an issue where an SQL injection could exist in the media library, with the response being able to include an XSS payload. The attack requires authorization levels high enough to work with the media library in WordPress. - Stored XSS via Customizer
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N — 4.3 (Medium)
The WordPress customizer improved its handling of user inputted data which could lead to XSS by an authenticated user who has access to the theme customizer. - Stored XSS in RSS Widget
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N — 4.3 (Medium)
Adds security hardening to RSS Widget, this patch is likely related to or supports the Gutenberg RSS widget patch below. - Stored XSS in Comment editing
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N — 2.6 (Low)
This patch addresses a stored XSS issue where a user leaving a comment could leave a payload that is benign. However, if an administrator or user with unfiltered HTML privileges later edits the comment with the benign XSS payload, it will be triggered leading to a full-fledged XSS.
And more…
- CSRF in wp-trackback.php
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N — 4.3 (Medium)
This bug addresses an issue related to CSRF, which requires a logged-in user to click a malicious link to wp-trackback.php. - Revert shared user instances
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N 2.6 (Low)
This reverts an earlier commit in WordPress core which could lead to inaccurate responses in user related functionality. - Multipart emails leak content when HTML/plaintext used
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N — 3.7 (Low)
Addresses an unlikely scenario caused by sending multi-part emails leading to an email’s content body being leaked in subsequent outgoing emails. - SQL Injection in WP_Date_Query sanitization improved
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N — 3.7 (Low)
Protects against a component (plugin or theme) sending unsafe data to WP_Date_Query.
Gutenberg specific security bugs.
All of the Gutenberg security bug patches can be summarized as improved security hardening for the editor. Each requires authentication as a user with authorization to edit or add posts in WordPress (e.g.. access level high enough to use the Gutenberg editor), these bug patches improved data sanitization for each bug’s respective block type.
- XSS in the Search block
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N — 4.3 (Medium)
Requires an account with access to edit or add posts. Prevents XSS via the Search block. - XSS in the RSS block
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N — 4.3 (Medium)
Requires an account with access to edit or add posts. Prevents XSS via the RSS block. - XSS in the Feature Image block
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N — 4.3 (Medium)
Requires an account with access to edit or add posts. Prevents XSS via the Feature Image block. - XSS in the Widget block
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N — 4.3 (Medium)
Requires an account with access to edit or add posts. Prevents XSS via the Widget block.
Conclusions
The 6.0.3 Security Release of WordPress addresses a large number of security bugs, but the severity is only as high as the bug patched with the highest risk. Which, is only “Medium”. It is important to patch, but none of these bugs pose an emergency-level risk.
A thank you is in order for the WordPress.org team and security researchers who have contributed their findings. Patching over a dozen security bugs in one release shows us how much work is being done toward securing the open-source WordPress project.
Site owners should patch soon, but they need not rush. You can wait for when the time is convenient as there is likely no emergency for an average WordPress site owner. There is one security bug patched that could be weaponized quickly however the risk it poses is likely inconsequential unless your unpublished post’s terms and tags are (for some reason) highly sensitive.
This may be the last security release that will include back-ported security patches for older versions of WordPress (before 4.1.) The WordPress.org team announced they will be Dropping security updates for WordPress versions 3.7 through 4.0 in September, giving site owners a precious few months to update to WordPress 4.1 or higher.
