Vulnerability Management

Pervasive WordPress vulnerability in legacy sites addressed

Share

WordPress has addressed a high-severity SQL injection vulnerability and two other flaws with the release of version 6.0.2 of its content management system, reports SecurityWeek. Even though the high-severity flaw was observed in the WordPress Link functionality, which is disabled by default on newer WordPress instances, millions of legacy websites could still have the feature enabled despite leveraging newer CMS versions, a report from Wordfence researchers found. "Vulnerable versions of WordPress failed to successfully sanitize the limit argument of the link retrieval query in the get_bookmarks function, used to ensure that only a certain number of links were returned," Wordfence said. Meanwhile, threat actors could exploit the remaining flaws, both of which are medium-severity cross-site scripting vulnerabilities stemming from "the_meta" function use and errors from plugin deactivation and deletion, to facilitate post meta key and value scripts or JavaScript codes in messages indicating deactivated or deleted plugins. Immediate updates have been recommended.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.