Skip to main content

WordPress 6.0.3: Security Release. SQL Injection, Cross Site Scripting (XSS) fixes, and more

WordPress has just received a major security update. WordPress version 6.0.3 was released yesterday. This is a short-cycle release, preceding the major release i.e. WordPress 6.1. All of you who are looking out for WordPress 6.1, it is estimated to drop on November 1, 2022.

If you have enabled automatic updates on your website, then it should have automatically updated to this version. Those who have disabled automatic WordPress updates and like taking the action in their hands, you can update it manually by visiting your WordPress dashboard, click “Updates” and then click “Update Now” or by visiting WordPress.org release archives.

Security Fixes in WordPress 6.0.3

These are the 16 major fixes in this release.

  • Stored XSS via wp-mail.php (post by email) – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
  • Open redirect in `wp_nonce_ays` – devrayn
  • Sender’s email address is exposed in wp-mail.php – Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. via JPCERT
  • Media Library – Reflected XSS via SQLi – Ben Bidner from the WordPress security team and Marc Montpas from Automattic independently discovered this issue
  • CSRF in wp-trackback.php – Simon Scannell
  • Stored XSS via the Customizer – Alex Concha from the WordPress security team
  • Revert shared user instances introduced in 50790 – Alex Concha and Ben Bidner from the WordPress security team
  • Stored XSS in WordPress Core via Comment Editing – Third-party security audit and Alex Concha from the WordPress security team
  • Data exposure via the REST Terms/Tags Endpoint – Than Taintor
  • Content from multipart emails leaked – Thomas Kräftner
  • SQL Injection due to improper sanitization in `WP_Date_Query` – Michael Mazzolini
  • RSS Widget: Stored XSS issue – Third-party security audit
  • Stored XSS in the search block – Alex Concha of the WP Security team
  • Feature Image Block: XSS issue – Third-party security audit
  • RSS Block: Stored XSS issue – Third-party security audit
  • Fix widget block XSS – Third-party security audit

List of Updated Packages

@wordpress/block-directory: 3.4.15
@wordpress/block-library: 7.3.15
@wordpress/customize-widgets: 3.3.15
@wordpress/edit-post: 6.3.15
@wordpress/edit-site: 4.3.15
@wordpress/edit-widgets: 4.3.15
@wordpress/widgets: 2.4.11

List of files revised

src/wp-admin/about.php
src/wp-admin/includes/ajax-actions.php
src/wp-admin/includes/post.php
src/wp-includes/blocks/legacy-widget.php
src/wp-includes/blocks/navigation.php
src/wp-includes/blocks/post-featured-image.php
src/wp-includes/blocks/rss.php
src/wp-includes/blocks/search.php
src/wp-includes/blocks/widget-group.php
src/wp-includes/class-wp-date-query.php
src/wp-includes/class-wp-query.php
src/wp-includes/comment.php
src/wp-includes/customize/class-wp-customize-header-image-control.php
src/wp-includes/customize/class-wp-customize-site-icon-control.php
src/wp-includes/deprecated.php
src/wp-includes/functions.php
src/wp-includes/media-template.php
src/wp-includes/pluggable.php
src/wp-includes/post.php
src/wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php
src/wp-includes/user.php
src/wp-includes/version.php
src/wp-includes/widgets.php
src/wp-mail.php
src/wp-trackback.php

Conclusion

Security updates are a non-negotiable factor for website owners. So, I recommend you update the latest WordPress version immediately. Thanks to WordPress team, especially the WordPress security team. Without them WordPress 6.0.3 would not have been possible.

To learn more in detail about SQLi vulnerability , XSS (Cross Site Scripting), and WordPress 6.0.2 bug fixes click here. To know more about the upcoming features of WordPress 6.1, news happening in and around WordPress in the month of September, read.

Never miss a deet. Sign up today.

Get all the latest news and exclusive WordPress content straight to your email inbox!