- The new version fixes eight security flaws.
- It includes seven flaws related to cross-site scripting (XSS) and one related to open redirect.
Wordpress 5.2.3 (new version), now available to the public, performs 29 fixes including some enhancements under the hood.
It fixes eight vulnerabilities; seven of which related to cross-site scripting (XSS) and one to open redirect.
The update is a short-cycle maintenance release and the next major release (version 5.3) will be rolling out soon.
What are the security updates?
Wordpress 5.2.3 release mentions a total of 29 bugs fix that affect WordPress versions 5.2.2 and earlier. The highlight of the release, however, revolves around the eight security updates, especially the cross-site scripting vulnerabilities (XSS).
Cross-site scripting is a client-side code injection attack in which a malicious script is infused and run on a legitimate web page or application. The script can gain access to any cookies, session tokens, or other sensitive information from the browser.
Below is the list of seven cross-site scripting flaws which are fixed in the new release:
- Cross-site scripting in post previews by contributors
- Cross-site scripting in stored comments
- Reflected cross-site scripting during media uploads
- XSS in shortcode previews
- Reflected cross-site scripting found in Wordpress dashboard
- URL sanitization cross-site scripting attacks
- Cross-site scripting vulnerability in jQuery.extend (fixed in jQuery 3.4.0.)
The eighth security flaw arises due to improper validation and sanitization of a URL, leading to open redirect vulnerability. The flaw allows an external user to craft URLs and redirect users to the landing page of their wish. It is one of the most commonly used tactics of attackers in their phishing campaigns.
What to do?
Being the largest CMS in the world, Wordpress is always on the radar of cybercriminals. It is recommended that you install the update today using one of the below methods:
For the websites supporting automatic background updates, the update may have already have been installed.