WordPress Issues Urgent Security Update to Patch Multiple Vulnerabilities

WordPress, the world’s leading content management system (CMS), has released a critical security update, “WordPress 6.5.5,” to address three significant vulnerabilities that could potentially expose millions of websites to cyber attacks.

The vulnerabilities, discovered by both internal and external security researchers, include:

• CVE-2024-6307 (CVSS 6.4) – Cross-Site Scripting (XSS) vulnerability in the HTML API: This flaw could allow attackers to inject malicious scripts into web pages, potentially leading to data theft, website defacement, or redirection to harmful sites.
• CVE-2024-6305 (CVSS 6.4) – Cross-Site Scripting (XSS) vulnerability in the Template Part block: This vulnerability could also enable attackers to execute malicious scripts, further compromising website security.
• CVE-2024-6306 (CVSS 4.3) Path Traversal issue on Windows-hosted sites: This vulnerability could allow attackers to access unauthorized files and directories on a web server, potentially leading to sensitive information disclosure or system compromise.

The WordPress development team has acknowledged the severity of these vulnerabilities and strongly recommends that all users update their WordPress installations to version 6.5.5 immediately.

These vulnerabilities, if exploited, could have devastating consequences for website owners. Attackers could gain unauthorized access to sensitive data, manipulate website content, spread malware, or even take complete control of a website.

All WordPress websites running versions prior to 6.5.5 are vulnerable to these security flaws. WordPress users with automatic updates enabled will receive the update automatically. For those who update manually, the process can be done through the WordPress dashboard or by downloading the latest version directly from the WordPress website.