Alex Thomas
June 25, 2024
Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. For a limited time, all high risk issues are in-scope for all researchers!
WordPress Core 6.5.5 was released yesterday, on June 24, 2023. Contained within this release are three security fixes addressing two Cross-Site Scripting (XSS) vulnerabilities and one Windows-specific Directory Traversal vulnerability. Despite these vulnerabilities being medium-severity, the worst of them (specifically, the XSS vulnerabilities) can allow for site takeover by an authenticated, contributor-level user if successfully exploited.
The Directory Traversal vulnerability has been backported to every version of WordPress since 4.1, with the XSS vulnerabilities being backported to the major version in which the functionality was released. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 4.1, so you can update without risking compatibility issues.
The Wordfence Threat Intelligence Team released a new firewall rule the same day to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers for one of the XSS vulnerabilities that didn’t have adequate protection.This rule will be available to free Wordfence users in 30 days, on July 24th, 2024. All Wordfence users have protection for the remaining two vulnerabilities.
If your site has not been updated automatically we strongly recommend updating manually as soon as possible, as two of the vulnerabilities patched in this release can be used by an attacker with a low-privileged contributor-level account to take over a site.
Technical Analysis and Overview
As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.
Contributor+ Stored Cross-Site Scripting in the HTML API
Description: WordPress Core < 6.5.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via HTML API
Affected Versions: WordPress Core < 6.5.5
Researcher/s: Alex Concha (WordPress Security Team), Dennis Snell (WordPress Core Team), Grzegorz Ziółkowski (WordPress Security Team), Aaron Jorbin
CVE ID: Pending
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.5.5
Link to Commit 1
Link to Commit 2
WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions up to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The changeset in WordPress 6.5.5 adds additional protections in the set_attribute() function of the HTML API to further escape URL attributes. Additionally, this changeset adds additional improvements.
Contributor+ Stored Cross-Site Scripting in the Template Part Block
Description: WordPress Core < 6.5.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Template Part Block
Affected Versions: WordPress Core < 6.5.5
Researcher/s: Rafie Muhammad (Patchstack)
CVE ID: Pending
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.5.5
Link to Commit
WordPress Core is vulnerable to Stored Cross-Site Scripting via the Template Part block in various versions up to 6.5.5 due to insufficient input sanitization and output escaping on the ‘tagName’ attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The changeset for WordPress 6.5.5 adds additional sanitization to the Template Part block’s ‘tagName’ attribute. The Template Part block is available to contributor-level users. However, exploitation is only possible where the site’s theme uses this particular block.
Windows-only Directory Traversal
Description: WordPress Core < 6.5.5 – Authenticated (Contributor+) Directory Traversal
Affected Versions: WordPress Core < 6.5.5
Researcher/s: apple502j, Rafie Muhammad (Patchstack), Edouard L , David Fifield, x89, mishre
CVE ID: Pending
CVSS Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Fully Patched Version: 6.5.5
Link to Commit
WordPress Core is vulnerable to Directory Traversal in various versions up to 6.5.5 via the Template Part block. This makes it possible for authenticated attackers, with contributor-level access and above, to include arbitrary HTML Files on sites running Windows.
Similar to the previous vulnerability, this Directory Traversal vulnerability is exploitable via the Template Part block. The changeset for WordPress 6.5.5 shows the addition of a path normalization function within the validate_file() function.
Conclusion
WordPress 6.5.5 includes patches for 3 medium-severity vulnerabilities. Two of these vulnerabilities are trivial to exploit as an authenticated, contributor+ user, and we recommend updating immediately if your site has not yet automatically done so.
We have released one new firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers. This rule will be available to free Wordfence users in 30 days, on July 24th, 2024.
If you know someone who uses WordPress and isn’t keeping it automatically updated, we recommend sharing this advisory with them to ensure their site remains secure, as several of these vulnerabilities pose a significant risk.
For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence Bug Bounty Program and earn up to $10,400 for your submission.
Special thanks to István Márton, a Wordfence Vulnerability Researcher, for his assistance on reverse engineering the patches and ensuring Wordfence users have adequate coverage.
Did you enjoy this post? Share it!
Source :
https://www.wordfence.com/blog/2024/06/wordpress-6-5-5-security-release-what-you-need-to-know/