U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

WordPress 5.2.3 fixes multiple issues, including some severe XSS flaws

The WordPress development team released version 5.2.3 that includes 29 fixes, enhancements, and several security patches. WordPress developers released a security and maintenance version 5.2.3 that includes 29 fixes, several enhancements and security patches. These flaws affect the versions 5.2.2 and earlier of the popular CMS. Most of the security flaws addressed with the release […]

WordPress xss

The WordPress development team released version 5.2.3 that includes 29 fixes, enhancements, and several security patches.

WordPress developers released a security and maintenance version 5.2.3 that includes 29 fixes, several enhancements and security patches.

These flaws affect the versions 5.2.2 and earlier of the popular CMS.

Most of the security flaws addressed with the release of the version 5.2.3 are cross-site scripting (XSS) issues.

The development team credited Simon Scannell of RIPS Technologies for two of the flaws addressed with the new version.

“This security and maintenance release features 29 fixes and enhancements. Plus, it adds a number of security fixes” reads the security advisory published by WordPress.

“These bugs affect WordPress versions 5.2.2 and earlier; version 5.2.3 fixes them, so you’ll want to upgrade.”

In March, RIPS disclosed two XSS flaws, a first one affecting post previews by contributors, the second one in stored comments. RIPS experts also reported other flaws that can be exploited for remote code execution.

The first one was a CSRF vulnerability in WordPress reported by Simon Scannell that could potentially lead to remote code execution attacks. The other issue disclosed by RIPS Technologies is a critical remote code execution vulnerability in versions of WordPress prior 
5.0.3, that remained uncovered for 6 years.

The flaw could be exploited by an attacker who gains access to an account with at least ‘author privileges on a WordPress install to execute arbitrary PHP code on the underlying server.

WordPress credited Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect, Anshul Jain for disclosing reflected cross-site scripting during media uploads, Zhouyuan Yang of Fortinet’s FortiGuard Labs for disclosing an XSS vulnerability in shortcode previews, Ian Dunn from Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard, and Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.

The security advisory is also informing admins that the WordPress development team is also updating jQuery on older versions of WordPress. The change was introduced in version 5.2.1 and is now being extended to older versions. 

The change aims at protecting WordPress users from XSS attacks exploiting a flaw in previous versions of jQuery.

As usual, websites that support automatic updates may have already been updated. The administrators of websites for some reasons have disabled automatic updates can do it from the Updates section of their WordPress dashboard.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Security, XSS)

[adrotate banner=”5″]

[adrotate banner=”13″]