Block editor XSS and REST API data exposure issues among now-patched bugs
WordPress has rolled out an update to its core codebase that includes mitigations against several troublesome security flaws
As well as fixing 61 bugs, WordPress 5.8.1, released yesterday (September 9), addresses a data exposure vulnerability within the REST API, an interface that allows plugins and themes to interact with WordPress core.
It also fixes a cross-site scripting (XSS) vulnerability in the Gutenberg block editor. This was discovered by Polish hacker Michał Bentkowski, who said he reported the bug “a long time ago” and would soon publish a write-up.
RELATED WordPress security: Information leak flaw addressed in Ninja Forms
Upstream security fixes for multiple vulnerabilities in the Lodash JavaScript Library were also bundled into the WordPress release. These are rated from critical to high severity.
The update also includes 41 bug fixes on WordPress core, as well as 20 bug fixes for the block editor.
Core update
The open source web giant recommends that web admins update their sites to version 5.8.1 as soon as possible.
Version 5.8, the latest major WordPress release, was rolled out in July, extending the Site Health admin interface to make it easier for developers to include their own tabs and allow website administrators to navigate their way around the Site Health portal more easily.
Read more of the latest WordPress security news and analysis
It also added several new block editor features, support for the WebP image format, an ‘Update URI’ header for plugin developers, and changes to the REST API.
The next major release will be version 5.9, currently in alpha, with beta 1 set for November 16 and general release planned for December 14.
“The main goal for 2021 is getting full site editing to all WordPress users,” says executive director Josepha Haden Chomphosy.
READ MORE Interview: Patchstack’s Oliver Sild on securing WordPress, one plugin vulnerability at a time