Three vulnerabilities are fixed in a security and maintenance update for WordPress. Three severe to medium severity vulnerabilities were fixed by a WordPress update that included bug fixes and security updates.
It’s important to verify that the website has updated to version 6.02 and that everything is still functional because the changes may have been downloaded and installed automatically.
Bug Fixes
Twelve fixes for the WordPress core and five for the block editor are included in the release. An update to the Pattern Directory, which is aimed to assist theme writers in serving only the patterns associated with their themes, is one major change. The purpose of this modification is to improve the user experience for publishers while also making it more appealing for use by theme authors.
“Many theme designers use remove theme support(‘core-block-patterns’) to have all core and remote patterns deactivated by default. This guarantees that they are simply offering customers/clients patterns that are pertinent to their theme.
With this modification, the Pattern Directory will look and function better from the theme author’s perspective.”
Three Security Patches
According to the description, the first vulnerability is a high-severity SQL Injection issue. A SQL injection vulnerability enables an attacker to add, view, delete, or edit sensitive data by querying the website’s database. According to research by Wordfence, WordPress 6.02 patches a high severity vulnerability SQL injection vulnerability, although the vulnerability requires administrative credentials to be executed.
This weakness was described by Wordfence as follows:
“On new WordPress installations, the previously known as “Bookmarks” WordPress Link capability is no longer turned on by default. Even if they are using more recent versions of WordPress Website Development, older sites may still have the feature enabled, making millions of legacy sites potentially vulnerable. Fortunately, we discovered that the flaw needs administrator rights and is challenging to exploit in a default setup.”
The “vast” majority of WordPress publishers are said to be unaffected by the second and third vulnerabilities, both of which are classified as stored cross-site scripting.
Moment JavaScript Date Library Updated
One more security hole was patched, but it wasn’t related to the core of WordPress. WordPress employs a JavaScript data library called Moment, which has a vulnerability. The National Vulnerability Database of the United States government has information on the JavaScript library vulnerability, which was given a CVE number. At WordPress, it is listed as a bug fix.
What To Do
Starting with version 3.7, the update ought to be distributed automatically to sites. Verifying that the website is operating properly and that there are no conflicts between the installed plugins and the existing theme may be beneficial.