On May 16, 2023, the WordPress core team released a crucial update — WordPress 6.2.1. This latest security and maintenance release addresses a number of bug fixes and vulnerability patches, including an unauthenticated Directory Traversal vulnerability, unauthenticated Cross-Site Scripting vulnerability, and several other lower-severity vulnerabilities.

To mitigate risk, we highly recommend verifying that your WordPress website has been updated to 6.2.1. If your site does not have automatic updates enabled, we strongly recommend manually updating as soon as possible.

Vulnerability Details

The following vulnerabilities have been patched in WordPress 6.2.1.

Directory Traversal

Security Risk: Medium
Exploitation Level: No authentication required.
CVE: CVE-2023-2745
Vulnerability: Injection
Affected Software: WordPress Core <= 6.2
Patched Versions: WordPress Core 6.2.1

This vulnerability allows unauthenticated attackers to access and load arbitrary translation files through the wp_lang parameter. It is not easy to exploit in most configurations but could be used to perform a Cross-Site Scripting attack if an attacker manages to upload a crafted translation file onto your site.

Cross-Site Request Forgery

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Broken Access Control
Affected Software: WordPress Core <= 6.2
Patched Versions: WordPress Core 6.2.1

This vulnerability allows unauthenticated users to update the thumbnail image associated with existing attachments by tricking an authenticated user with appropriate permissions into performing an action such as clicking a link. The impact of this vulnerability is minimal, and exploitation is unlikely.

Stored Cross-Site Scripting

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication required.
Vulnerability: Cross-Site Scripting (XSS)
Affected Software: WordPress Core <= 6.2
Patched Versions: WordPress Core 6.2.1

This vulnerability allows authenticated attackers with contributor-level or higher permissions to inject arbitrary web scripts in pages using a crafted Embed payload at a remote URL. These scripts execute whenever a user accesses an injected page.

Insufficient Sanitization of Block Attributes

Security Risk: Medium
Exploitation Level: Contributor or higher level authentication required.
Vulnerability: Injection
Affected Software: WordPress Core <= 6.2
Patched Versions: WordPress Core 6.2.1

This vulnerability allows authenticated attackers with contributor-level or higher permissions to embed arbitrary content in HTML comments on a page. Cross-Site scripting may be possible if combined with another vulnerability. This issue only affects sites using a block editor compatible theme.

Shortcode Execution in User Generated Content

Security Risk: Medium
Exploitation Level: No authentication required.
Vulnerability: Injection
Affected Software: WordPress Core <= 6.2
Patched Versions: WordPress Core 6.2.1

This vulnerability allows unauthenticated attackers to execute shortcodes by submitting comments or other content. Although the impact is minimal on its own, it can significantly increase the severity and exploitability of other vulnerabilities.

Mitigation Steps

This latest WordPress 6.2.1 Security and Maintenance Release addresses a number of important bug fixes and vulnerabilities. Updates should be applied as soon as possible to mitigate risk.

We would like to extend our gratitude to the researchers and developers who played a crucial role in enhancing the security of WordPress and a significant portion of the web. Special thanks go to John Blackbourn from the WordPress security team, Liam Gladdy from WP Engine, Jakub Żoczek from Securitum, and Ramuel Gall from Wordfence for their efforts and research.

For further details on the WordPress 6.2.1 maintenance and security release, please refer to the official announcement on WordPress.org: https://wordpress.org/news/2023/05/wordpress-6-2-1-maintenance-security-release/