WordPress 4.2.3 was made available on Thursday – the update comes with fixes for a number of bugs, including a potentially dangerous cross-site scripting (XSS) vulnerability.
In a release, Jon Cave and Robert Chapin, WordPress security team members, were credited with reporting the XSS vulnerability, which can be exploited to compromise an affected website.
However, certain conditions must first be met.
“It requires users with certain level of trust to perform the attack,” Marc-Alexandre Montpas, vulnerability researcher with Sucuri, told SCMagazine.com in a Thursday email correspondence. He indicated that it is not the easiest vulnerability to exploit, but said that “if you give contributor [or] author roles to people you don't know or have little trust in, then it'd be a problem.”
As noted by security analyst Graham Cluley, managed WordPress hosting platform WP Engine – which considers the update critical and is automatically patching and updating its own customer websites – disclosed additional details on the issue.
“Essentially, this security issue could enable specially crafted shortcodes to bypass kses protection by tricking it into thinking dangerous parts are part of valid HTML,” a Thursday post said. “This vulnerability may allow users without the unfiltered_html capability, but with publishing rights, to run JavaScript code on the front end of the website. This security update ensures all shortcodes inside attributes are evaluated and then run both through kses separately and escaped for use in attributes.”
Also fixed in WordPress 4.2.3 is a problem where a user with Subscriber permissions would be able to create a draft through Quick Draft, the release said, crediting Netanel Rubin from Check Point Software Technologies with reporting the issue.
On Wednesday, security firm High-Tech Bridge released details on vulnerabilities in two WordPress plugins – Paid Memberships Pro, and Count Per Day.
UPDATE: The WordPress release has been updated and now additionally credits Jouko Pynnönen, a researcher with Finnish IT company Klikki Oy, with reporting the XSS vulnerability. Pynnönen wrote an advisory on Friday that includes more information on the bug.
