WordPress 6.5.5 was launched on June 24, 2024. This short-cycle release led by Aaron Jorbin, addresses three security issues and three Core bugs. As this is a security release, the team recommends updating your sites immediately. Please update your sites manually if you have not opted for automatic background updates.
The Security Fixes
This release fixes two cross-site scripting (XSS) vulnerabilities and one Windows-specific path traversal issue. The XSS vulnerabilities were exploited via the HTML API and the Template Part block. The researchers at Wordfence have categorized them both as “Medium severity” concerns, with a CVSS score of 6.4. They have shared more information on the vulnerabilities.
XSS Vulnerability via HTML API: This vulnerability affects the HTML API “due to insufficient input sanitization and output escaping on URLs” leaving websites open to authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages which will execute whenever the affected page is accessed.
XSS Vulnerability via Template Part Block: Similar to the first, this vulnerability is caused by “insufficient input sanitization and output escaping on the ‘tagName’ attributes” and allows authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Windows-only Directory Traversal Vulnerability: The third Windows-only Directory Traversal vulnerability is a “Medium severity” concern, with a 4.3 CVSS score. This allows authenticated attackers with contributor-level access and above to exploit the Template Part block and add arbitrary HTML Files on sites running Windows.
Bug Fixes
The release also resolves the following three Core bugs:
- Font Directory uploads ignoring `subdir` property. (#61297)
- `wp_get_plugin_action_button()`returning `void` (#61400)
- Unassigned sprintf in wp_get_plugin_action_button() breaking plugin layouts (#61420)
The next major release, WordPress 6.6, is expected on July 16, 2024. For more details on the new features, you can refer to the Field Guide.