WordPress has launched the 6.5.2 Maintenance and Security Release update to patch a stored cross site scripting (XSS) vulnerability and fix over a dozen bugs in the core and the block editor. This vulnerability also affects the Gutenberg plugin.
An XSS vulnerability allows an attacker to inject scripts into a website that can attack site visitors. There are three types of XSS vulnerabilities, with the most common in WordPress being reflected XSS and stored XSS. The vulnerability discovered in WordPress is a stored XSS, which is more concerning as it allows an attacker to upload a script into the vulnerable site to launch attacks against site visitors.
However, the threat is somewhat mitigated as this is an authenticated stored XSS, meaning the attacker needs at least a contributor level permissions to exploit the website flaw. This vulnerability is rated as a medium level threat, with a Common Vulnerability Scoring System (CVSS) score of 6.4 out of 10.
Wordfence describes the vulnerability as allowing authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The official WordPress announcement recommends users to update their installations immediately. Backports are also available for other major WordPress releases, 6.1 and later.
