WordPress has addressed a high-severity SQL injection vulnerability and two other flaws with the release of version 6.0.2 of its content management system, reports SecurityWeek.
Even though the high-severity flaw was observed in the WordPress Link functionality, which is disabled by default on newer WordPress instances, millions of legacy websites could still have the feature enabled despite leveraging newer CMS versions, a report from Wordfence researchers found.
"Vulnerable versions of WordPress failed to successfully sanitize the limit argument of the link retrieval query in the get_bookmarks function, used to ensure that only a certain number of links were returned," Wordfence said.
Meanwhile, threat actors could exploit the remaining flaws, both of which are medium-severity cross-site scripting vulnerabilities stemming from "the_meta" function use and errors from plugin deactivation and deletion, to facilitate post meta key and value scripts or JavaScript codes in messages indicating deactivated or deleted plugins. Immediate updates have been recommended.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds