WordPress Core version 5.4.2 has just been released. Since this release is marked as a combined security and bug fix update, we recommend updating as soon as possible. With that said, most of the security fixes themselves are for vulnerabilities that would require specific circumstances to exploit. All in all this release contains 6 security fixes, 3 of which are for XSS (Cross-Site Scripting) vulnerabilities. Both the free and Premium versions of Wordence have robust built-in XSS protection which will protect against potential exploitation of these vulnerabilities.
A Breakdown of each security issue
An XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor
This flaw would have made it possible for an attacker to inject JavaScript into a post by manipulating the attributes of Embedded iFrames. This would be exploitable by users with the edit_posts capability, meaning users with the Contributor role or higher in most configurations.
The changeset in question is:
https://core.trac.wordpress.org/changeset/47947/
This issue was discovered and reported by Sam Thomas (jazzy2fives)
An XSS issue where authenticated users with upload permissions are able to add JavaScript to media files
This flaw would have made it possible for an attacker to inject JavaScript into the “Description” field of an uploaded media file. This would be exploitable by users with the upload_files capability, meaning users with the Author role or higher in most configurations.
The changeset in question is:
https://core.trac.wordpress.org/changeset/47948/
This issue was discovered and reported by Luigi – (gubello.me)
An open redirect issue in wp_validate_redirect()
For this flaw, the wp_validate_redirect function failed to sufficiently sanitize URLs supplied to it. As such it would have been possible under certain circumstances for an attacker to craft a link to an impacted site that would redirect visitors to a malicious external site. This would not require specific capabilities, but it would typically require either social engineering or a separate vulnerability in a plugin or theme to exploit.
The changeset in question is:
https://core.trac.wordpress.org/changeset/47949/
This issue was discovered and reported by Ben Bidner of the WordPress Security Team.
An authenticated XSS issue via theme uploads
This flaw would have made it possible for an attacker to inject JavaScript into the stylesheet name of a broken theme, which would then be executed if another user visited the Appearance->Themes page on the site. This would be exploitable by users with the install_themes or edit_themes capabilities, which are only available to administrators in most configurations.
The changeset in question is:
https://core.trac.wordpress.org/changeset/47950/
This issue was discovered and reported by Nrimo Ing Pandum
An issue where set-screen-option can be misused by plugins leading to privilege escalation
For this flaw, a plugin incorrectly using the set-screen-option filter to save arbitrary or sensitive options could potentially be used by an attacker to gain administrative access. We are not currently aware of any plugins that are vulnerable to this issue.
The changeset in question is:
https://core.trac.wordpress.org/changeset/47951/
This issue was discovered and reported by Simon Scannell of RIPS Technologies
An issue where comments from password-protected posts and pages could be displayed under certain conditions
For this flaw, comment excerpts on password-protected posts could have been visible on sites displaying the “Recent Comments” widget or using a plugin or theme with similar functionality.
The changeset in question is:
https://core.trac.wordpress.org/changeset/47984/
This issue was discovered and reported by Carolina Nymark
Note: This is unrelated to an issue where unmoderated spam comments were briefly visible and indexable by search engines.
What should I do?
Most of these vulnerabilities appear to be exploitable only under limited circumstances or by trusted users, but we recommend updating as soon as possible. Attackers may find ways to exploit them more easily, or the researchers who discovered these vulnerabilities may publish Proof of Concept code that allows simpler exploitation. This is a minor WordPress release, so most sites will automatically update to the new version.
