WordPress Core 6.2.1 Security & Maintenance Release - What You Need to Know - #CVE-2023-2745
2023-05-18 _On May 16, 2023, the WordPress core team unveiled the 6.2.1 Security and Maintenance Release, which addresses five vulnerabilities, including a medium-severity directory traversal vulnerability, a medium-severity cross-site scripting vulnerability, and several lower-severity vulnerabilities. These patches have been backported to every version of WordPress since 4.1, and most WordPress sites should receive an automatic update within 24 hours. It's crucial to verify that your site has been updated to one of the patched versions to avoid compatibility issues._ _The Wordfence Threat Intelligence team thoroughly analyzed the code changes to assess the impact of these vulnerabilities on users and ensure their protection. One of the vulnerabilities allows unauthenticated attackers to access and load arbitrary translation files via the 'wp\_lang' parameter. Although this vulnerability is not easy to exploit in most configurations, it could be used to perform a cross-site scripting attack if an attacker uploads a crafted translation file onto the site._ _Another vulnerability involves cross-site request forgery due to missing nonce validation on the 'wpajaxsetattachmentthumbnail' AJAX function. This allows unauthenticated users to update the thumbnail image associated with existing attachments if they can trick an authenticated user with appropriate permissions into performing an action. The impact of this vulnerability is minimal, and exploitation is unlikely._ _WordPress Core is also vulnerable to stored cross-site scripting due to insufficient validation of the protocol in the response when processing oEmbed discovery. This enables authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page._ _Additionally, WordPress Core fails to sufficiently sanitize block attributes, making it possible for authenticated attackers with contributor-level and above permissions to embed arbitrary content in HTML comments on the page. Cross-site scripting may be possible when combined with another vulnerability, but this would only affect sites utilizing a block editor compatible theme._ _Lastly, WordPress Core processes shortcodes in user-generated content on block themes, which could allow unauthenticated attackers to execute shortcodes via submitting comments or other content. This can significantly increase the severity and exploitability of other vulnerabilities._ _While most of these vulnerabilities require specific configurations or circumstances to exploit effectively, it's essential to update your site to a patched version of WordPress as soon as possible. The Wordfence firewall's built-in directory traversal protection should block attempts to exploit the directory traversal vulnerability, but it's not practical to deploy a firewall rule that protects against the oEmbed issue. Any site with untrusted contributor-level users may be at risk._ _Ensure your site is running a version of WordPress greater than 4.1 to receive an update that patches these vulnerabilities while maintaining compatibility. --Darien Kindlund_ [View Article](https://www.wordfence.com/?p=31157)