Sixteen security vulnerabilities have been patched by WordPress as part of its 6.0.3 update, SecurityWeek reports. Stored and reflected cross-site scripting flaws accounted for nine of the bugs, while the others were SQL injection, data exposure, cross-site request forgery, and open redirect issues. Four of the vulnerabilities were designated with "high-severity," while medium or low severity ratings were given for the others, according to WordPress security firm Defiant. Threat actors could exploit the high-severity stored XSS flaw to facilitate malicious JavaScript code injection into posts, while the high-severity reflected XSS bug could be leveraged to execute arbitrary code. Third-party plugins or themes could exploit the high-severity SQL injection flaw, while the high-severity CSRF vulnerability could be used for trackbacks should attackers use social engineering. "We have determined that these vulnerabilities are unlikely to be seen as mass exploits but several of them could offer a way for skilled attackers to exploit high-value sites using targeted attacks," said Defiant.