Headline
WordPress Core 6.2 XSS / CSRF / Directory Traversal
WordPress Core versions 6.2 and below suffer from cross site request forgery, persistent cross site scripting, shortcode execution, insufficient sanitization, and directory traversal vulnerabilities.
On May 16, 2023, the WordPress core team released WordPress 6.2.1, which contains patches for 5 vulnerabilities, including a Medium Severity Directory Traversal vulnerability, a Medium-Severity Cross-Site Scripting vulnerability, and several lower-severity vulnerabilities.
These patches have been backported to every version of WordPress since 4.1. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 4.1, so you can update without risking compatibility issues.
If your site has not been updated automatically we strongly recommend updating manually as soon as possible, as one of the vulnerabilities patched in this release can be used by an attacker with a low-privileged contributor-level account to take over a site.
This email content has also been published on our blog and you’re welcome to post a comment there if you’d like to join the conversation. Or you can read the full post in this email.
Vulnerability Analysis
As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.
Description: WordPress Core <= 6.2 - Directory Traversal via wp_lang
Affected Versions: WordPress Core < 6.2.1
Researcher: Matt Rusnak, reported by Ramuel Gall as well as an undisclosed third party auditor
CVE ID: CVE-2023-2745
CVSS Score: 5.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.2.1
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. This vulnerability would not be easy to exploit in an impactful manner on most configurations.
Description: WordPress Core <= 6.2 - Cross-Site Request Forgery via wp_ajax_set_attachment_thumbnail
Affected Versions: WordPress Core < 6.2.1
Researcher: John Blackbourn of the WordPress security team
CVE ID: Pending
CVSS Score: 4.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Fully Patched Version: 6.2.1
WordPress Core is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the ‘wp_ajax_set_attachment_thumbnail’ AJAX function in versions up to, and including, 6.2. This allows unauthenticated users to update the thumbnail image associated with existing attachments, granted they can trick an authenticated user with appropriate permissions into performing an action, such as clicking a link. The impact of this vulnerability is incredibly minimal and we do not expect to see any exploitation of this weakness.
Description: WordPress Core <= 6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Embed Discovery Functionality
Affected Versions: WordPress Core < 6.2.1
Researcher: Jakub Żoczek of Securitum and undisclosed third-party auditor
CVE ID: Pending
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.2.1
WordPress Core is vulnerable to stored Cross-Site Scripting in versions up to, and including, 6.2, due to insufficient validation of the protocol in the response when processing oEmbed discovery. This makes it possible for authenticated attackers with contributor-level and above permissions to use a crafted oEmbed payload at a remote URL to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Description: WordPress Core <= 6.2 - Insufficient Sanitization of Block Attributes
Affected Versions: WordPress Core < 6.2.1
Researcher: Undisclosed third-party auditor
CVE ID: Pending
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.2.1
WordPress Core fails to sufficiently sanitize block attributes in versions up to, and including, 6.2. This makes it possible for authenticated attackers with contributor-level and above permissions to embed arbitrary content in HTML comments on the page, though Cross-Site scripting may be possible when combined with an additional vulnerability. Please note that this would only affect sites utilizing a block editor compatible theme.
Description: WordPress Core <= 6.2 - Shortcode Execution in User Generated Content
Affected Versions: WordPress Core < 6.2.1
Researcher: Liam Gladdy of WP Engine
CVE ID: Pending
CVSS Score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Fully Patched Version: 6.2.1
WordPress Core processes shortcodes in user-generated content on block themes in versions up to, and including, 6.2. This could allow unauthenticated attackers to execute shortcodes via submitting comments or other content, allowing them to exploit vulnerabilities that typically require Subscriber or Contributor-level permissions. While this is likely to have minimal impact on its own, it can significantly increase the severity and exploitability of other vulnerabilities.
Conclusion
In today’s article, we covered five vulnerabilities patched in the WordPress 6.2.1 Security and Maintenance Release. Most actively used WordPress sites should be patched via automatic updates within the next 24 hours.
The Wordfence firewall’s built-in directory traversal protection should block attempts to exploit the directory traversal vulnerability, and it would typically only be impactful when exploited by a skilled attacker in certain configurations. Most of the other issues fixed today are similar in that they require specific configurations or circumstances, such as other vulnerable plugins, to impactfully exploit.
However, we urge all site owners to verify that WordPress is updated as soon as possible since it is not practical to deploy a firewall rule that protects against the oEmbed issue and as such any site with untrusted contributor-level users may be at risk.
As always, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 4.1, an update is available to patch these vulnerabilities while keeping you on the same major version, so you will not need to worry about compatibility issues.
Special thanks to Wordfence QA Lead Matt Rusnak for finding the directory traversal vulnerability that we responsibly disclosed, and to John Blackbourn of the WordPress security team, Jakub Żoczek of Securitum, and Liam Gladdy of WP Engine for responsibly disclosing these issues.
Related news
Debian Linux Security Advisory 5685-1 - Several security vulnerabilities have been discovered in Wordpress, a popular content management framework, which may lead to exposure of sensitive information to an unauthorized actor in WordPress or allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack.
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.