Important security updates included in this release
In case you missed it, the WordPress core team released WordPress 6.0.3 yesterday. I didn’t know about it until I received an email notification from one of the WordPress sites I’m managing that had automatic background updates enabled.
Check out the list below containing the various security vulnerabilities patched in the most recent update:
SECURITY UPDATES INCLUDED IN WORDPRESS 6.0.3
- Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
- Open redirect in `wp_nonce_ays` – devrayn
- Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
- Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
- CSRF in wp-trackback.php – Simon Scannell
- Stored XSS via the Customizer – Alex Concha from the WordPress security team
- Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
- Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
- Data exposure via the REST Terms/Tags Endpoint – Than Taintor
- Content from multipart emails leaked – Thomas Kräftner
- SQL Injection due to improper sanitization in `WP_Date_Query` – Michael Mazzolini
- RSS Widget: Stored XSS issue – Third-party security audit
- Stored XSS in the search block – Alex Concha of the WP Security team
- Feature Image Block: XSS issue – Third-party security audit
- RSS Block: Stored XSS issue – Third-party security audit
- Fix widget block XSS – Third-party security audit
WordPress 6.0.3 is a short-cycle release, meaning that the next major release is going to be version 6.1 which is planned to be released on November 1, 2022.
For those who are interested to learn more about security vulnerabilities that were patched in WordPress 6.0.3, you might want to check out the Vulnerability Analysis done by Wordfence.
If you have automatic background updates enabled on your WordPress-powered site, then you don’t have to do anything as the update will be done automatically.
For those of you who haven’t enabled automatic background updates or are not familiar with this feature, you can do so by logging in to your WordPress Dashboard > Updates and then clicking Update Now.
Thank you, WordPress core team for your hard work and for addressing these security vulnerabilities with WordPress 6.0.3.