Mind the XSS

WordPress developers pushed out a security-heavy release on Monday (October 14), with fixes for six potentially problematic vulnerabilities.

The security-oriented update to the ubiquitous content management system, WordPress 5.2.4, resolves a bug in which cross-site scripting (XSS) payloads could be added via the Customizer; a security weakness that meant unauthenticated posts could be viewed; and flaw that opened the door for a stored XSS to inject JavaScript into style tags.

The WordPress security release also addresses a cache poisoning weakness involving JSON GET requests via the Vary: Origin header; a server-side request forgery bug involving the way that URLs are validated; and shortcomings in referrer validation.

None of the six bugs were flagged as critical, but even so, neglecting the update would be unwise.

WordPress versions 5.2.3 and earlier are affected by these various flaws, resolved by updating to version 5.2.4. Most sites running on WordPress will be configured so this happens automatically.

INSIGHT WordPress admins: Security should not just be an add-on

Updated versions of WordPress 5.1 and earlier are also available for users who have not yet got onboard the 5.2.x release train.

“WordPress 5.2.4 is a short-cycle security release. The next major release will be version 5.3,” WordPress developers explain in a blog post accompanying the security update.

The post provides more information on the security flaws as well as crediting the researchers who discovered them.

The final major release of 2019, WordPress 5.3, is scheduled to roll out on November 12 and promises “significant improvements to the block editor, updates to the Site Health component, new block APIs, accessibility updates, and much more”.

RELATED Exploit released for WordPress plugin RCE bug