WordPress 6.5.2 Patches XSS Vulnerability

  • News

WordPress 6.5.2 was rolled out on April 09, 2024 primarily to address a critical security concern related to cross-site scripting (XSS) vulnerability affecting the Avatar block type. The issue was reported by John Blackbourn of the WordPress security team and assisted by Mat Rollings. The patch has been retroactively applied to WordPress versions 6.0 and above.

Wordfence reports that this vulnerability โ€œcould be exploited by both unauthenticated users, when a comment block is present on a page, and by authenticated users who have access to the block editor such as contributors.โ€ They have categorized this vulnerability as “High,” assigning it a CVSS (Common Vulnerability Scoring System) Score of 7.2. 

Other Updates

This security release also includes 2 bug fixes on Core and 12 bug fixes for the Block Editor. The Core bug fixes include RecursiveDirectoryIterator triggering E_WARNING errors in New Relic and font_dir filter producing an infinite loop when wp_get_upload_dir() is used in the filter callback.

WordPress 6.5.1

WordPress 6.5.2 is the first minor release for WordPress 6.5 as WordPress 6.5.1 was not released due to an error with the initial package. WordPress Core Committer Aaron Jorbin shared that โ€œWhen the tag for 6.5.1 was created on the WordPress build server, it was created from a previous revision of the 6.5 branch. As tags are treated as immutable, this meant that WordPress 6.5.1 could not be released.โ€ Both the Core and Systems teams are implementing measures to prevent such occurrences in the future.

As this is a security release, the WordPress team recommends that you update your sites immediately. The next major release WordPress 6.6 is expected on 16 July 2024.

The WP Week Newsletter

A weekly newsletter covering updates from the WordPress ecosystem that are relevant and helpful for WordPress agencies, developers, and enthusiasts

Leave your comment

Your email address will not be published. Required fields are marked *