Any tools or software usually publishes a bug fix update coming from any significant version update to fix unanticipated technical issues and present new improvements that have not been introduced along with the major version update release. This is what’s expected for every software and content platform. WordPress, an open-source content management system, have informed their users about the latest rollout of patch update of the system which consists of three major security fixes. The said security fixes include a fix for a data exposure flaw that is related to the REST API (an application programming interface that follows the restrictions of REST architectural approach), a fix for Cross-Site Scripting (XSS) vulnerability in the Gutenberg block editor, and a fix for many serious to highly severe vulnerabilities in the Lodash JavaScript Library. Lodash offers utility functions for programming tasks in addressing security problems.
The WordPress developers highly recommend its users immediately update their applications because of how concerning the mentioned vulnerabilities are.
These bugs and vulnerabilities distress WordPress versions between 5.4 and 5.8, and all versions are beginning 5.4 were updated and involved patches for the exposures.
In addition, the developers from WordPress have highlighted that the XSS and privilege escalation bugs affecting the block editor have already been discovered and fixed during version 5.8’s beta testing period.
It was also advised by the U.S. Cybersecurity and Infrastructure Security Agency or CISA for the users to review the release notes and execute the update installations. Some websites that have enabled an automatic background update should already have their systems updated.
It is common for web giants such as WordPress to be a target for cyberattacks. However, there are more cases where threat actors expose bugs and vulnerabilities in some other popular plugins aside from the flaws that affect the core of WordPress.
iZOOlogic has encountered numerous WordPress-based sites where phishing pages targeting prominent banks are directly hosted. Through exploits, the content injection and directory take over is possible. Prevention is better than phishing injection; that is why we recommend patching the security issues by upgrading.
