WordPress 6.0.3 Security Release

By Write a Comment on WordPress 6.0.3 Security Release2 min read

Important security updates included in this release

WordPress Logo

In case you missed it, the WordPress core team released WordPress 6.0.3 yesterday. I didn’t know about it until I received an email notification from one of the WordPress sites I’m managing that had automatic background updates enabled.

Check out the list below containing the various security vulnerabilities patched in the most recent update:

Related Posts
WordPress 6.5 Regina
WordPress 6.5 “Regina” Now Available
WordPress 6.3.2 – Maintenance & Security Release
WordPress 6.1 "Misha"
WordPress 6.1 “Misha” Now Available
WordPress Logo
WordPress 6.0.2 Security and Maintenance Release
WordPress Threaded Comments Not Working
WordPress Threaded Comments Not Working
Elementor Critical Vulnerability
ALERT: Elementor Plugin Critical Remote Code Execution Vulnerability
WordPress Logo
WordPress 5.9.2 Security & Maintenance Release
WordPress Logo
WordPress 5.8.3 Security Release
WordCamp Taiwan 2021
I’m Attending WordCamp Taiwan 2021
WordPress 5.8 Widgets Blocks
WordPress 5.8 Now Available

SECURITY UPDATES INCLUDED IN WORDPRESS 6.0.3

  • Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
  • Open redirect in `wp_nonce_ays`devrayn
  • Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
  • Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
  • CSRF in wp-trackback.php – Simon Scannell
  • Stored XSS via the Customizer – Alex Concha from the WordPress security team
  • Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
  • Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
  • Data exposure via the REST Terms/Tags Endpoint – Than Taintor
  • Content from multipart emails leakedThomas Kräftner
  • SQL Injection due to improper sanitization in `WP_Date_Query`Michael Mazzolini
  • RSS Widget: Stored XSS issue – Third-party security audit
  • Stored XSS in the search block – Alex Concha of the WP Security team
  • Feature Image Block: XSS issue – Third-party security audit
  • RSS Block: Stored XSS issue – Third-party security audit
  • Fix widget block XSS – Third-party security audit

WordPress 6.0.3 is a short-cycle release, meaning that the next major release is going to be version 6.1 which is planned to be released on November 1, 2022.

For those who are interested to learn more about security vulnerabilities that were patched in WordPress 6.0.3, you might want to check out the Vulnerability Analysis done by Wordfence.

If you have automatic background updates enabled on your WordPress-powered site, then you don’t have to do anything as the update will be done automatically.

For those of you who haven’t enabled automatic background updates or are not familiar with this feature, you can do so by logging in to your WordPress Dashboard > Updates and then clicking Update Now.

Thank you, WordPress core team for your hard work and for addressing these security vulnerabilities with WordPress 6.0.3.

This post may contain affiliate links that allow us to earn commissions at no additional cost to you. We are reader-supported so when you buy through the affiliate links, you are also helping or supporting us. 

Tagged In

JP Habaradas

Owner and editor of JaypeeOnline. Self-proclaimed geek. New media writer and consultant. WordPress advocate. Loves blogging, gadgets, video games and sports. You can follow him on Facebook or Twitter.
View All Articles

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

JaypeeOnline

This website uses cookies to ensure you get the best experience on our website. Learn more