WordPress Vulnerability Report – March 1, 2023

Vulnerable plugins and themes are some of the most common vectors for attacks on WordPress websites. Our weekly WordPress Vulnerability Report, now powered by Patchstack, covers new WordPress plugins, themes, and core vulnerabilities that have emerged since last week’s report. Our goal is to help you decide what to do if you are using one of these vulnerable plugins or themes on your website. For a deeper, historical analysis of WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.

WordPress Core News

WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.

WordPress 6.2 Beta 4

WordPress 6.2 Beta 4 rolled out today for testing after being postponed for a few days to deal with a regression. As of Beta 4, over 400 Trac issues have been raised and closed this cycle. The current target for the final release date is still March 28, 2023.

So far, the 6.2 release cycle has made more than 292 enhancements and 354 bug fixes just for the editor. A running total of 289 tickets have been closed in Trac for the 6.2 milestone, with more to come.

In the final 6.2 release, expect to see tight integration with Openverse in the editor and media library. The Navigation block has been significantly improved. A new Style Book feature displays all blocks in the current global styles, and there’s new custom CSS support for your full site and individual blocks. For more details on new features in 6.2, see the Beta 1 release news.

With the arrival of WordPress 6.2, Phase Two of Gutenberg’s development will have ended. Phase Two focused on the Block and Site Editor features that now allow deep customization of site designs and layouts. Next, Phase Three will focus on collaborative editing features. Take a look at the WordPress Development Roadmap to learn more.

Gutenberg 15.2

The latest release of the Gutenberg plugin, version 15.2, is available now if you’d like to get a preview of bleeding-edge features. Please note the 15.2 release offers new features that will be included in the WordPress 6.3 core release but not 6.2. These features include revisions for the full site template editor so you can roll back changes to site templates.

Other new features of note in Gutenberg 15.2 are CSS aspect-ratio controls for the Featured Image block for posts and support for border color, style, and width in the Button block. There’s new typography support for the Latest Comments block, and the Post Excerpt block will have an excerpt length limit control. You’ll find accessibility improvements to labeling, tab, arrow key navigation, and the hierarchy of headings in the editor interface. See the version notes for the full details about many other enhancements and bug fixes.

WordPress Plugin Vulnerabilities

In this section, you’ll find the most recently disclosed WordPress plugin vulnerabilities that have been fixed with a new release from their authors and maintainers. These vulnerabilities have been disclosed and scored for their severity thanks to our friends at Patchstack. Each plugin listing includes the type of vulnerability with its CVE number and CVSS severity rating with links to more technical details. You’ll also see the number of active sites using the plugin and the plugin version release that patches the vulnerability. We start with the most popular plugins, which represent the largest target for attackers.

WordPress Plugin Vulnerabilities – No Known Fix

This section contains plugin vulnerabilities with no known fix. Until a patch is available, you are advised to deactivate the plugin, at minimum, immediately. If there is a high risk of active exploits or the plugin remains unpatched for weeks, you are advised to delete the plugin. You should also delete persistently unpatched plugins the WordPress.org repository has locked and marked “Closed” so they can no longer be downloaded and installed.

WordPress Theme Vulnerabilities

In this section, you’ll find the latest WordPress theme vulnerabilities to be disclosed. You’ll see the same information provided above for vulnerable plugins, and the same advice applies. If a security update exists, install it immediately. If a vulnerability remains unpatched in a theme you are actively using, you will need to find an alternative theme. Deactivate and delete persistently unpatched themes and those that have been “Closed” in the WordPress.org theme repository. If you have a vulnerable theme installed that you are not actively using, simply delete it.