The Digital Security Authority (DSA) wants to bring to your attention, a High Severity vulnerability in the WordPress core, specifically within the Avatar block which could allow both authenticated and unauthenticated attackers to execute malicious scripts, potentially leading to full site control.
Technical Details
Vulnerability Details:
- Vulnerability ID: CVE-2024-4439, 7.2 HIGH
- Affected Versions: WordPress Core versions up to 6.5.2
- Vulnerability Type: Stored Cross-Site Scripting (XSS)
- Impact: Potential compromise of website, including data theft, defacement, and malware distribution.
Affected Versions:
6.5 – 6.5.1, 6.4 – 6.4.3, 6.3 – 6.3.3, 6.2 – 6.2.4, 6.1 – 6.1.5, 6.0 – 6.0.7
Fixed Versions:
6.1.6, 6.2.5, 6.3.4, 6.4.4, 6.5.2
Recommendations
The Digital Security Authority recommends updating the affected versions to the fixed or latest versions released by WordPress.
References
https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/
The information presented in this report is based on available data up to the 06th of May 2024.