A short-cycle maintenance release of WordPress was presented during the last week with the latest security fixes and performance enhancements- totaling 29 in all.
Latest Fixes and enhancements in WordPress 5.3.2
It is worth mentioning that as many as 6 issues relate to XSS vulnerabilities during different processes like post preview, URL sanitation, etc. Along with that, the previous WordPress versions have also been updated by jQuery JavaScript library updates and bug fixes.
Details of Key updates
· XSS vulnerability in the post preview and post comments
· Open redirect vulnerability during the validation process or sanitization
· XSS vulnerability while uploading media.
· XSS vulnerability in shortcode preview
· Reflected XSS in the dashboard
· XSS threat while sanitizing URL
· The jQuery of the previous version has also been updated
Understanding the attack terminology
· Reflected XSS Vulnerability: In reflected XSS vulnerability, the inputs from post or URL are reflected on the live page without being saved. It gives attackers a chance to slyly inject their malicious code.
· As the attacker uses trusted websites as a carrier, the browser of the end-users trust the script. It thus starts executing the script. Once activated, the malicious script can access sensitive data saved on the end-users’ browser (like saved passwords or payment cards), cookies, etc. The advanced malicious scripts can even interfere with the original website.
· With the help of the XSS attack, the attacker can hijack your session and perform unauthorized activities. The attacker can also steal sensitive information or perform phishing attacks.
· Open Redirect Vulnerability: When the site redirects you to a specific webpage using your submitted link it is known as open redirection. The attackers can use the flaws/loopholes during this process and redirects the users to their desired pages (instead of designated original page).
· For example, if you are being redirected to a submission form and the site is afflicted with open redirect vulnerability, then the attackers can exploit that vulnerability to quietly intrude and redirect you to his fake form with similar look and feel.
When you fill your sensitive information (payment cards, passwords, social security information, etc) and submit it, the entire information is sent to the attacker who can misuse the information for their vested interests. Two major ways in which open redirect vulnerability is exploited by the attackers are stealing the sensitive information to misuse it (with the help of identical forms) and redirecting you to their websites that can eventually facilitate XSS attacks.
Update your WP site to the version WordPress 5.2.3
If you have not yet updated your WP to the latest version 5.2.3, here is how you can update it now:
· Login to your WordPress dashboard using your login credentials
· Look for Updates menu in your admin area
· Click the button "Update Now"
· No other action is required. Wait until the updating process is finished. That's all!
Conclusion
WordPress periodically introduces new and improved versions for better performance and enhanced security. Recently it introduced a security and maintenance update- WordPress version 5.2.3. The security loopholes patched in this release might not seem to be of high significance. However, in the wake of the increasing number of cyber threats and attacks, it is highly imperative to update your WP site as soon as any updated version (major or minor) is released.