The WordPress development team released version 5.2.3 that includes 29 fixes, enhancements, and several security patches.

WordPress developers released a security and maintenance version 5.2.3 that includes 29 fixes, several enhancements and security patches.

These flaws affect the versions 5.2.2 and earlier of the popular CMS.

Most of the security flaws addressed with the release of the version 5.2.3 are cross-site scripting (XSS) issues.

The development team credited Simon Scannell of RIPS Technologies for two of the flaws addressed with the new version.

“This security and maintenance release features 29 fixes and enhancements. Plus, it adds a number of security fixes” reads the security advisory published by WordPress.

“These bugs affect WordPress versions 5.2.2 and earlier; version 5.2.3 fixes them, so you’ll want to upgrade.”

In March, RIPS disclosed two XSS flaws, a first one affecting post previews by contributors, the second one in stored comments. RIPS experts also reported other flaws that can be exploited for remote code execution.

The first one was a CSRF vulnerability in WordPress reported by Simon Scannell that could potentially lead to remote code execution attacks. The other issue disclosed by RIPS Technologies is a critical remote code execution vulnerability in versions of WordPress prior

5.0.3, that remained uncovered for 6 years.

The flaw could be exploited by an attacker who gains access to an account with at least ‘ author‘ privileges on a WordPress install to execute arbitrary PHP code on the underlying server.

WordPress credited Tim Coen for disclosing an issue where validation and sanitization of a URL could lead to an open redirect, Anshul Jain for disclosing reflected cross-site scripting during media uploads, Zhouyuan Yang of Fortinet’s FortiGuard Labs for disclosing an XSS vulnerability in shortcode previews, Ian Dunn from Core Security Team for finding and disclosing a case where reflected cross-site scripting could be found in the dashboard, and Soroush Dalili (@irsdl) from NCC Group for disclosing an issue with URL sanitization that can lead to cross-site scripting (XSS) attacks.

The security advisory is also informing admins that the WordPress development team is also updating jQuery on older versions of WordPress. The change was introduced in version 5.2.1 and is now being extended to older versions.

The change aims at protecting WordPress users from XSS attacks exploiting a flaw in previous versions of jQuery .

As usual, websites that support automatic updates may have already been updated. The administrators of websites for some reasons have disabled automatic updates can do it from the Updates section of their WordPress dashboard.

Pierluigi Paganini

(SecurityAffairs – Security, XSS)