An attacker able to successfully exploit this vulnerability could inject malicious JavaScript into a post, which, when previewed by an administrator, would execute. This vulnerability does require the attacker to have the ability to edit posts, and as such they would need access to the account of at least a Contributor-level user. The patched version runs wp_filter_global_styles_post before wp_filter_post_kses so that any potential bypasses have already been processed and wp_kses can effectively sanitize them. Normally this would not be an issue, but wp_filter_global_styles_post performs a second round of JSON decoding on the content it has been passed, which allows for a number of bypasses that would normally be handled by wp_kses. Unfortunately, however, the wp_filter_global_styles_post function ran after wp_filter_post_kses.
#WORDPRESS 5.9 BUGS FULL#
Recent versions of WordPress allow some degree of full site editing, including global styles, which use their own sanitization function wp_filter_global_styles_post. WordPress uses a function called wp_kses to remove malicious scripts from posts, which is called in wp_filter_post_kses whenever post content is saved. Contributor+ Stored Cross Site Scripting VulnerabilityĪffected Versions: WordPress Core 5.9.0-5.9.1ĬVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
#WORDPRESS 5.9 BUGS UPDATE#
Wordfence free users will receive these rules after 30 days on April 10, 2022.Įven if you are protected by the Wordfence firewall, we encourage you to update WordPress core on all your sites at your earliest convenience, if they have not already been automatically updated. These rules have been deployed to Wordfence Premium, Wordfence Care, and Wordfence Response users. We have released two new firewall rules to protect against the vulnerabilities patched in WordPress 5.9.2. Vulnerability AnalysisĪs with all WordPress core releases containing security fixes, the Wordfence Threat Intelligence team has analyzed the update in detail to ensure our customers remain secure. All versions of WordPress since WordPress 3.7 have also been updated with the fix for these vulnerabilities.
![wordpress 5.9 bugs wordpress 5.9 bugs](https://mbdb.jp/wp-content/uploads/2021/03/pexels-photo-4160094-1200x630.jpeg)
![wordpress 5.9 bugs wordpress 5.9 bugs](https://www.sohaibxtreme.net/wp-content/uploads/2019/01/Bright-Memory-Episode-1-Early-Access-PC_2-696x392.jpg)
The two medium-severity vulnerabilities impact WordPress versions earlier than 5.9.2 and potentially allow attackers to execute arbitrary JavaScript in a user’s session if they can trick that user into clicking a link, though there are no known practical exploits for these two vulnerabilities affecting WordPress. The Wordfence Threat Intelligence team was able to create a Proof of Concept for this vulnerability fairly quickly and released a firewall rule early on March 11, 2022, to protect WordPress sites that have not yet been updated. The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts.
![wordpress 5.9 bugs wordpress 5.9 bugs](https://pluginsytemas.es/wp-content/uploads/2021/04/phlox-pro-wordpress-theme.jpg)
Last night, just after 6pm Pacific time, on Thursday March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well as two medium-severity issues. WordPress 5.9.2 Security Update Fixes XSS and Prototype Pollution Vulnerabilities