Close Menu
WordPress ExpertsWordPress Experts
    • Client Experiences
    • WordPress Forms
    • Page Builder Services
    • Woocommerce
    • WordPress Migration
    • WordPress Maintenance & Support
    • WordPress Theme Customization
    • Website Malware Removal
    • E-Learning
    WordPress ExpertsWordPress Experts
    • Tips and Tricks
    • WordPress
      • WordPress Errors
      • WordPress Themes
      • WordPress Performance
      • WordPress Plugins
      • WordPress SEO
        • Google AdSense
      • Vulnerabilities
      • Responsive WordPress Themes
    • WooCommerce
      • WooCommerce Tips
    • WordPress Security
      • Wordfence
    • Contact Us
    WordPress ExpertsWordPress Experts
    Home»Tips and Tricks»WordPress 5.4.2 Patches Multiple XSS Vulnerabilities
    Tips and Tricks

    WordPress 5.4.2 Patches Multiple XSS Vulnerabilities

    Wordpress ExpertsBy Wordpress ExpertsJuly 7, 2020Updated:March 22, 2023No Comments4 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email

    WordPress Core version 5.4.2 has just been released. Since this release is marked as a combined security and bug fix update, we recommend updating as soon as possible. With that said, most of the security fixes themselves are for vulnerabilities that would require specific circumstances to exploit. All in all this release contains 6 security fixes, 3 of which are for XSS (Cross-Site Scripting) vulnerabilities. Both the free and Premium versions of Wordence have robust built-in XSS protection which will protect against potential exploitation of these vulnerabilities.

    A Breakdown of each security issue

    An XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor

    This flaw would have made it possible for an attacker to inject JavaScript into a post by manipulating the attributes of Embedded iFrames. This would be exploitable by users with the edit_posts capability, meaning users with the Contributor role or higher in most configurations.

    The changeset in question is:
    https://core.trac.wordpress.org/changeset/47947/

    This issue was discovered and reported by Sam Thomas (jazzy2fives)

    An XSS issue where authenticated users with upload permissions are able to add JavaScript to media files

    This flaw would have made it possible for an attacker to inject JavaScript into the “Description” field of an uploaded media file. This would be exploitable by users with the upload_files capability, meaning users with the Author role or higher in most configurations.

    The changeset in question is:
    https://core.trac.wordpress.org/changeset/47948/

    This issue was discovered and reported by Luigi – (gubello.me)

    An open redirect issue in wp_validate_redirect()

    For this flaw, the wp_validate_redirect function failed to sufficiently sanitize URLs supplied to it. As such it would have been possible under certain circumstances for an attacker to craft a link to an impacted site that would redirect visitors to a malicious external site. This would not require specific capabilities, but it would typically require either social engineering or a separate vulnerability in a plugin or theme to exploit.

    The changeset in question is:
    https://core.trac.wordpress.org/changeset/47949/

    This issue was discovered and reported by Ben Bidner of the WordPress Security Team.

    An authenticated XSS issue via theme uploads

    This flaw would have made it possible for an attacker to inject JavaScript into the stylesheet name of a broken theme, which would then be executed if another user visited the Appearance->Themes page on the site. This would be exploitable by users with the install_themes or edit_themes capabilities, which are only available to administrators in most configurations.

    The changeset in question is:
    https://core.trac.wordpress.org/changeset/47950/

    This issue was discovered and reported by Nrimo Ing Pandum

    An issue where set-screen-option can be misused by plugins leading to privilege escalation

    For this flaw, a plugin incorrectly using the set-screen-option filter to save arbitrary or sensitive options could potentially be used by an attacker to gain administrative access. We are not currently aware of any plugins that are vulnerable to this issue.

    The changeset in question is:
    https://core.trac.wordpress.org/changeset/47951/

    This issue was discovered and reported by Simon Scannell of RIPS Technologies

    An issue where comments from password-protected posts and pages could be displayed under certain conditions

    For this flaw, comment excerpts on password-protected posts could have been visible on sites displaying the “Recent Comments” widget or using a plugin or theme with similar functionality.

    The changeset in question is:
    https://core.trac.wordpress.org/changeset/47984/

    This issue was discovered and reported by Carolina Nymark

    Note: This is unrelated to an issue where unmoderated spam comments were briefly visible and indexable by search engines.

    What should I do?

    Most of these vulnerabilities appear to be exploitable only under limited circumstances or by trusted users, but we recommend updating as soon as possible. Attackers may find ways to exploit them more easily, or the researchers who discovered these vulnerabilities may publish Proof of Concept code that allows simpler exploitation. This is a minor WordPress release, so most sites will automatically update to the new version.

    Source Credit

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleLarge Scale Attack Campaign Targets Database Credentials
    Next Article High Severity Vulnerability Patched in TC Custom JavaScript
    Wordpress Experts
    • Website

    As leading WordPress experts, we provide a full range of services to businesses worldwide, including high-quality blog content, custom website design and development, SEO optimization, e-commerce solutions, and ongoing maintenance. We specialize in crafting engaging and informative blog posts that drive organic traffic and enhance your online visibility. Our team is dedicated to delivering exceptional results and empowering businesses to achieve their online goals through innovative WordPress solutions.

    Related Posts

    Elementor

    How to Get Elementor Pro 3.29.0 Free: Safe Tips and Alternatives

    May 20, 2025
    WordPress

    How to Become a WordPress Expert: A Step-by-Step Guide

    May 7, 2025
    Tips and Tricks

    Unlocking the Power of DeepSeek: Revolutionizing Data Discovery and AI Innovation

    January 31, 2025
    Add A Comment

    Comments are closed.

    fix hacked wordpress websites and remove malware
    fix wordpress issues
    create a wordpress website with elementor
    fix woocommerce issues and customize theme
    migrate or clone wordpress site to new host or domain
    Top Articles

    How to Get Elementor Pro 3.29.0 Free: Safe Tips and Alternatives

    May 20, 2025

    How to Become a WordPress Expert: A Step-by-Step Guide

    May 7, 2025

    Elementor Pro 3.28.3 POR + 3.28.4 FREE Download

    April 29, 2025

    Elementor Pro 3.27.2 Free Download: Unlock Advanced Website Design

    February 6, 2025
    • Client Experiences
    • WordPress Forms
    • Page Builder Services
    • Woocommerce
    • WordPress Migration
    • WordPress Maintenance & Support
    • WordPress Theme Customization
    • Website Malware Removal
    • E-Learning
    © 2025 WordPress Experts All rights reserved

    Type above and press Enter to search. Press Esc to cancel.