WordPress Security Release 6.9.4 Fixes Issues 6.9.2 Failed To Address

WordPress printed a troubled safety launch model 6.9.2 to patch ten vulnerabilities that additionally precipitated some websites to crash (show a white display), so WordPress rapidly adopted up with  a bugfix launch model 6.9.3. At present, WordPress introduced one other replace, model 6.9.4 as a result of not the entire vulnerabilities have been adequately addressed.

WordPress safety agency Wordfence printed particulars of 4 of the vulnerabilities, which have been rated as medium severity, whereas WordPress.org printed the complete checklist of ten, together with one which’s as a consequence of an exterior PHP library.

WordPress printed the next advisory about why they wanted to launch a further replace:

“WordPress 6.9.2 and WordPress 6.9.3 have been launched yesterday, addressing 10 safety points and a bug that affected template file loading on a restricted variety of websites.

The WordPress Safety Staff has found that not the entire safety fixes have been absolutely utilized, due to this fact 6.9.4 has been launched containing the required further fixes.

As a result of this can be a safety launch, it is strongly recommended that you simply replace your websites instantly.”

Timeline Of WordPress Websites Crashing

Some WordPress customers reported that the safety replace precipitated their websites to crash. Some on Reddit speculated that there was one thing flawed with the WordPress safety patch, inferring that it was associated to vibe coding. A dialogue within the official WordPress boards describing points with website performance additionally began quickly after the safety patch was launched.

The primary post described their subject:

“A couple of minutes in the past I bought an replace from Dreamhost that my web site had mechanically up to date to WP 6.9.2. Now any web page I attempt to load is developing clean. I can nonetheless log into the again finish, the pages are nonetheless there for modifying, content material is current, however once I go to the house web page or another web page, nothing is displaying (view supply can be empty.)

WordPress 6.9.2 with Crio theme, updated.”

Others adopted, describing related issues, and some posts later, one of many core builders responded to say that the problem is immediately associated to one thing in sure themes and recommended verifying that by switching to a different theme. Seven hours after the preliminary put up, the one that began the thread posted once more to notice that WordPress had issued a bugfix, model 6.9.3, to deal with the problems launched by model 6.9.2, which have been as a consequence of how sure themes have been coded and never the safety launch itself.

Official Response From WordPress

The issue with websites crashing seems to narrate to a non-standard manner that sure themes load template recordsdata. These themes have been utilizing an unsupported manner of loading templates, which then led to a battle with the patch. WordPress engineers rapidly issued a further patch to deal with these points, despite the fact that the issue was on the theme aspect, not WordPress.

In line with WordPress’s notes for the bugfix in model 6.9.3:

“This launch includes a bugfix for some themes that use an uncommon “stringable object” mechanism when loading template file paths that broke within the 6.9.2 safety launch.

Though that is is just not an formally supported method to loading template recordsdata in WordPress (the template_include filter solely accepts a string), it nonetheless precipitated some websites to interrupt so the crew have determined to deal with this in a quick comply with 6.9.3 launch. Customers utilizing affected themes ought to replace to six.9.3 to revive the entrance finish of their website to an operational state.”

Wordfence Advisory

Wordfence printed particulars of 4 of the vulnerabilities, with CVSS severity rankings of 4.3 to six.4 on a scale of 1 to 10, with 10 being the best severity stage. All of them require authentication to take advantage of, that means that an attacker would want to first acquire person permissions starting from subscriber stage to Administrator with a view to launch an assault.

Checklist of 4 vulnerabilities described by Wordfence:

1. CVSS Severity Ranking 4.3
   WordPress 6.9 – 6.9.1 – Lacking Authorization to Authenticated (Subscriber+) Arbitrary Be aware Creation by way of REST API
2. CVSS Severity Ranking 4.3
   WordPress <= 6.9.1 – Lacking Authorization to Authenticated (Creator+) Delicate Info Disclosure by way of query-attachments AJAX Endpoint
3. CVSS Severity Ranking 4.4
   WordPress <= 6.9.1 – Authenticated (Administrator+) Saved Cross-Web site Scripting by way of Navigation Menu Objects
4. CVSS Severity Ranking 6.5
   WordPress <= 6.9.1 – Authenticated (Creator+) XML Exterior Entity Injection by way of getID3 Library Media Add

The Wordfence advisory for essentially the most critical vulnerability, rated 6.5/10 described the flaw:

“WordPress core is susceptible to XML Exterior Entity (XXE) Injection by way of the bundled getID3 library in all variations as much as and together with 6.9.1. That is as a result of `GETID3_LIBXML_OPTIONS` fixed together with the `LIBXML_NOENT` flag, which allows XML entity substitution throughout parsing.

When WordPress processes media recordsdata containing XML metadata (particularly iXML chunks in WAV/RIFF/AVI recordsdata), the getID3 library parses the XML with entity substitution enabled, permitting native file disclosure by way of `file://` protocol URIs. This may increasingly make it doable for authenticated attackers with Creator-level entry to learn arbitrary recordsdata from the server.”

These are the complete checklist of ten vulnerabilities:

1. A Blind SSRF subject
2. A PoP-chain weak spot within the HTML API and Block Registry
3. A regex DoS weak spot in numeric character references
4. A saved XSS in nav menus
5. An AJAX query-attachments authorization bypass
6. A saved XSS by way of the data-wp-bind directive
7. An XSS that enables overridding client-side templates within the admin space
8. A PclZip path traversal subject
9. An authorization bypass on the Notes characteristic
10. An XXE within the exterior getID3 library

WordPress Recommends Speedy Replace

It’s not identified how extreme the opposite six vulnerabilities are, though those that Wordfence described have been rated solely at a medium stage of severity and required an attacker to first attain a person position. However, WordPress recommends that website publishers replace their websites to model 6.9.4 instantly.

Featured Picture by Shutterstock/Who’s Danny