"WordPress 6.0.2 Patches Vulnerability That Could Impact Millions of Legacy Sites"
Recently WordPress announced the release of version 6.0.2 of the content management system (CMS), with patches for three security bugs, including a high-severity SQL injection vulnerability. Identified in the WordPress Link functionality, previously known as "Bookmarks," the issue only impacts older installations, as the capability is disabled by default on new installations. However, the functionality might still be enabled on millions of legacy WordPress sites even if they are running newer versions of the CMS. WordPress noted that the security flaw has a CVSS score of 8.0 and requires administrative privileges, and is not easy to exploit in default configurations, but there might be plugins or themes that allow it to be triggered by users with lower privileges (such as editor-level and below). Both of the remaining vulnerabilities addressed in WordPress 6.0.2 are medium-severity cross-site scripting (XSS) bugs caused by the use of the "the_meta" function and by plugin deactivation and deletion errors. WordPress noted that successfully exploiting these vulnerabilities could lead to the execution of either scripts injected in post meta keys and values or JavaScript code in the messages displayed when plugins are deactivated or deleted due to an error. WordPress advises website administrators to update to WordPress 6.0.2 as soon as possible.