WordPress Security and Maintenance Releases: 5.2.4, 5.3.1, and 5.3.2
Pagely customers were spared issues from bugs introduced in the 5.3.0 release as, due to the proximity to the holidays, we didn’t upgrade our customers to 5.3 until early January. All Pagely customers received security patches for vulnerabilities identified in WordPress Core before 5.2.4 for the 5.2 branch and 5.3.1 for the 5.3 branch.
4 vulnerabilities found in WordPress Core:
- Privilege Escalation (allowing any user to “sticky” a post)
- XSS (Cross Site Scripting) Stored in well-crafted links
- XSS in the Block Editor
- Improved Security/Sanitization on wp_kses_bad_protocol()
Plugin/Theme Vulnerabilities of Note
InfiniteWP and WP-Time-Capsule
Two separate authentication bypass vulnerabilities were found in InfiniteWP and WP-Time-Capsule, both vulnerabilities were reported by WebARX:
These vulnerabilities pose a critically high risk to any site owners running insecure versions of either plugin. The vulnerability allows malicious parties the ability to bypass authentication and get a valid administrator login session via making a single request to a site running either plugin.
Links for more information:
Elegant Themes self-detected and corrected insecure code in their popular plugin Divi-Builder, and themes Divi and Extra.
The vulnerabilities Elegant Themes addressed would have allowed an authenticated user to potentially execute short bits of arbitrary PHP code on a website. While the ability to execute code makes this a high-risk threat, the requirement that the attack has valid credentials absolutely reduces that threat significantly to a medium or less risk.
**A hat tip and props are due for Elegant Theme’s developers for identifying, patching, and their transparency surrounding this report.