On August 30, 2022, the WordPress core team released WordPress version 6.0.2, which addresses three vulnerabilities, including a high-severity SQL injection vulnerability in the Links functionality and two medium-severity cross-site scripting (XSS) vulnerabilities.

WordPress has supported automated core updates for security releases since version 3.7, and most WordPress sites should automatically receive a patch for their major version within the next 24 hours. Additionally, patched versions are available for every major version of WordPress since 3.7, allowing for upgrades without compatibility issues.

Vulnerability Analysis

As with every WordPress core release containing security fixes, we have evaluated the code changes in detail to assess the impact of these vulnerabilities on our customers and to ensure they remain protected. Our analysis indicates that these vulnerabilities are unlikely to be exploited due to the specific conditions required. In most cases, these vulnerabilities require elevated privileges, such as those of an administrator, or the presence of a separate vulnerable or malicious plugin.

Vulnerability Details

SQL Injection via Links LIMIT Clause

The WordPress Links functionality, previously known as “Bookmarks,” is no longer enabled by default on new WordPress installations. However, older sites may still enable this functionality, making numerous legacy sites potentially vulnerable, even if they run newer WordPress versions. Fortunately, this vulnerability requires administrative privileges and is difficult to exploit in a default setup. Third-party plugins or themes may allow this vulnerability to be exploited by users with editor-level privileges or lower.

Vulnerable versions of WordPress failed to properly sanitize the LIMIT argument of the link retrieval query in the get_bookmarks function, which was used to ensure that only a specific number of links were returned. In a default configuration, only the Links legacy widget calls the get_bookmarks function in a way that allows this argument to be set by a user. However, legacy widgets include additional safeguards, and the query injection point poses further challenges, making this vulnerability nontrivial to exploit.

Contributor+ Stored Cross-Site Scripting via the the_meta Function

WordPress content creators, such as Contributors, Editors, Authors, and Administrators, can add custom fields to any page and post. This allows website content creators to add and associate additional information with pages and posts.

WordPress provides several functions to display custom fields associated with pages and posts. One such function is, which retrieves a post’s or page’s custom field data, stored as post metadata, via the get_post_custom_keys and get_post_custom_values functions. In versions older than 6.0.2, this data was unescaped on output, allowing any injected scripts in post meta keys and values to be executed.

Because any user with access to the post editor can add custom meta fields, users with editor access, such as contributors, could inject malicious JavaScript that executes on any page or post where this function is called.

WordPress core does not call the_meta by default. This vulnerability requires a plugin or theme that calls the the_meta function or for this function to have been programmatically added to a PHP file. Hence, most website owners are not vulnerable to this issue. The the_meta function has been deprecated since 6.0.2 and get_post_meta is the recommended alternative.

Stored Cross-Site Scripting via Plugin Deactivation and Deletion Errors

The last vulnerability involves the error messages displayed when a plugin has been deactivated due to an error or when a plugin cannot be deleted due to an error. In nearly all cases where this vulnerability might be exploitable, an attacker already has a firm foothold on the vulnerable site.

Our integrated XSS rule should block any attempts to create crafted error messages based on user input to a vulnerable plugin.

Conclusion

Today’s article covered three vulnerabilities patched in the WordPress 6.0.2 Security and Maintenance Release. Most actively used WordPress sites should be patched through automatic updates within 24 hours. Any sites that remain vulnerable would only be exploitable under specific circumstances.

If your website hasn’t been updated automatically, we highly recommend updating to a patched version of WordPress. As long as you run a version of WordPress higher than 3.7, an update is available to patch these vulnerabilities while keeping you on the same major version, so you won’t need to worry about compatibility issues.

Special thanks to Khalilov Moe, John Blackbourn, and FVD for self-disclosing these vulnerabilities. Thanks to Wordfence Threat Intelligence Lead Chloe Chamberland for collaborating on this post.