WordPress 6.5.2 released: Unauthenticated Stored Cross-Site Scripting Vulnerability Patched in WordPress Core

WordPress 6.5.2 was released on April 9, 2024. It included a single security patch, along with a handful of bug fixes. The security patch was for a Stored Cross-Site Scripting vulnerability that could be exploited by both unauthenticated users, when a comment block is present on a page, and by authenticated users who have access to the block editor such as contributors.

All Wordfence users are already protected against exploits targeting this vulnerability through unauthenticated methods. Users of paid versions of Wordfence received a firewall rule to protect against any exploits targeting this vulnerability through authenticated methods on April 10, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on May 10, 2024.

The patch has been backported to version 6.1 and later of WordPress. We urge all WordPress users to verify that their sites are updated to 6.5.2, or another backported security release, immediately as this issue could allow full site takeover when the right conditions are met. Most sites should have auto-updated, however, it’s a good idea to verify the auto-update was successful.

Source and more info: https://www.wordfence.com/blog/2024/04/unauthenticated-stored-cross-site-scripting-vulnerability-patched-in-wordpress-core

see also: https://wpscan.com/blog/unauthenticated-stored-xss-fixed-in-wordpress-core/

Posted in Updates, Vulnerability.