WordPress 5.4.2 Fixes Several XSS Vulnerabilities, Update Now

by   |  Last Update:  |  0 Comments  

On This Page: [hide]

  1. Security fixes in WordPress Version 5.4.2
  2. What other security bugs were fixed in WordPress Version 5.4.2?

WordPress 5.4.2 Fixes Several XSS Vulnerabilities, Update Now article imageHave you updated your WordPress to version 5.4.2? If you haven’t, consider doing it as soon as possible, as the update contains 23 fixes and enhancements, and specifically 6 security fixes, 3 of which address XXS, or cross-site scripting vulnerabilities.

Security fixes in WordPress Version 5.4.2

The first XSS vulnerability addressed in the latest version of WordPress could have allowed authenticated users with low privileges to add JavaScript to posts in the block editor.

The vulnerability could enable an attacker to inject JavaScript into a post by manipulating the attributes of Embedded iFrames. Users with the edit_posts capability, or users with the Contributor role or higher in most configurations, could be able to leverage the issue, Wordfence researchers say.

The second XSS flaw could allow authenticated users with upload permissions (upload_files capability) to add JavaScript to media files. In other words, attackers could be able to inject JavaScript code into the “Description” field of an uploaded media file. This includes users with the Author role or higher.

Also, Read 130M Attacks Try to Steal Database Credentials from 1.3M WordPress Sites

The third authenticated XSS bug could allow attackers to inject JavaScript into the stylesheet of a broken WordPress theme. The code would then be executed if another user opens the Appearance -> Themes page. This vulnerability could be exploitable by users with the install_themes or edit_themes capabilities, available to administrators in most configurations, Wordfence warns.

What other security bugs were fixed in WordPress Version 5.4.2?

– An open redirect issue in wp_validate_redirect();
– An issue where set-screen-option can be misused by plugins leading to privilege escalation;
– An issue where comments from password-protected posts and pages could be displayed under certain conditions.

The good news is that most of these issues can be exploited only under specific, limited conditions or by trusted users. Nonetheless, updating to the latest version is highly recommended. Note that since this is a minor WordPress release, most websites will automatically update to version 5.4.2.

Researched and created by:
Krum Popov
Passionate web entrepreneur, has been crafting web projects since 2007. In 2020, he founded HTH.Guide — a visionary platform dedicated to streamlining the search for the perfect web hosting solution. Read more...
Technically reviewed by:
Metodi Ivanov
Seasoned web development expert with 8+ years of experience, including specialized knowledge in hosting environments. His expertise guarantees that the content meets the highest standards in accuracy and aligns seamlessly with hosting technologies. Read more...

No related posts.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree
At HTH.Guide, we offer transparent web hosting reviews, ensuring independence from external influences. Our evaluations are unbiased as we apply strict and consistent standards to all reviews.
While we may earn affiliate commissions from some of the companies featured, these commissions do not compromise the integrity of our reviews or influence our rankings.
The affiliate earnings contribute to covering account acquisition, testing expenses, maintenance, and development of our website and internal systems.
Trust HTH.Guide for reliable hosting insights and sincerity.