On August 30, 2022, the WordPress core team launched WordPress version 6.0.2, which includes patches for three vulnerabilities, including a High Severity SQLi vulnerability in the Links performance and 2 Medium Intensity Cross-Site Scripting vulnerabilities.

WordPress has supported automated core updates for security releases considering that WordPress 3.7 and the vast majority of WordPress sites need to receive a patch for their major version of WordPress automatically over the next 24 hours.

Additionally, patched versions are readily available for every significant variation of WordPress; considering that 3.7, you can upgrade without risking compatibility problems.

Vulnerability Analysis

Just like every WordPress core release containing security fixes, we’ve evaluated the code changes in detail to assess the effect of these vulnerabilities on our consumers and to ensure our consumers stay safeguarded.

We have identified that these vulnerabilities are not likely to be targeted for exploitation due to the unique cases required to make use of them. In a lot of circumstances, these vulnerabilities need either elevated privileges, such as those of an administrator, or the presence of a different susceptible or malicious plugin.

Description: SQL Injection via Hyperlinks LIMIT clause

The WordPress Link performance, previously referred to as “Bookmarks,” is no longer made possible by default on brand-new WordPress setups. However, older sites may still have the performance enabled, meaning countless traditional sites are possibly vulnerable, even if they run newer WordPress variations. Thankfully, we discovered that the vulnerability needs administrative advantages and is hard to exploit in a default setup. However, 3rd party plugins or themes may allow this vulnerability to be used by editor-level users or below.

Susceptible variations of WordPress stopped working to effectively sanitize the limitation argument of the link retrieval question in the get_bookmarks function, utilized to guarantee that only a particular variety of links were returned. In a default configuration, only the Hyperlinks legacy widget calls the get_bookmarks function in such a way that allows this argument to be set by a user. However, legacy widgets involve extra safeguards, and the injection point of the query itself positions additional problems, making this vulnerability nontrivial to use.

Description: Contributor+ Stored Cross-Site Scripting using usage of the_meta function.

WordPress content developers, such as Contributors, Editors, Authors, and Administrators, can add customized fields to any page and post. This makes it possible for website content creators to add and associate additional information to pages and posts.

WordPress has several functions readily available to site owners to display custom fields created and associated with pages and posts. One of these functions is the the_meta function which retrieves the supplied post’s or page’s customized field information, which is stored as post meta data, through the get_post_custom_keys and get_post_custom_values functions. Once the custom fields for a post/page are recovered, the function outputs the post meta keys and values information as a list. In versions older than 6.0.2, this information was unescaped on output, making it possible for any injected scripts in post meta keys and worths to be performed.

Because any user with access to the post editor can include custom meta fields, users with access to the editor, such as contributors, might inject harmful JavaScript that executes on any page or post where this function is called.

WordPress core does not call the_meta throughout its codebase by default. This vulnerability does require a plugin or theme that calls the the_meta function or for this function to have been programmatically added to a PHP file for execution, so the vast majority of website owners are not vulnerable to this concern. The the_meta function has been deprecated since 6.0.2, and get_post_meta is the advised option.

Description: Kept Cross-Site Scripting using Plugin Deactivation and Deletion mistakes.

The last vulnerability includes the mistake messages shown when a plugin has been shut down due to an error or when a plugin can not be deleted due to an error. In nearly all cases where this vulnerability might be exploitable, an assailant would already have a company foothold on the vulnerable site.

Our integrated XSS guideline should block any efforts to create crafted mistake messages based upon user input to a vulnerable plugin.


In today’s article, we covered three vulnerabilities covered in the WordPress 6.0.2 Security and Maintenance Release. Many actively utilized WordPress sites should be covered through automatic updates within 24 hours. Any sites that stay susceptible would only be exploitable under specific circumstances.

We highly suggest updating your website to a covered version of WordPress if it hasn’t been upgraded automatically. As long as you are running a version of WordPress higher than 3.7, an upgrade is readily available to patch these vulnerabilities while keeping you on the same significant variation, so you will not need to stress over compatibility issues.

Props to Khalilov Moe, John Blackbourn, & FVD for discovering and responsibly disclosing these vulnerabilities. Special thanks to Wordfence Danger Intelligence Lead Chloe Chamberland for working together on this post.

WordPress has supported automatic core updates for security releases because WordPress 3.7 and the large bulk of WordPress sites must instantly get a spot for their major version of WordPress over the next 24 hours. Patched versions are available for every significant variation of WordPress, given that 3.7, so you can update without risking compatibility problems.

The WordPress Link performance, previously known as “Bookmarks,” is no longer allowed by default on brand-new WordPress installations. Older websites may still have the performance enabled, implying that millions of legacy sites are possibly vulnerable, even if they run newer versions of WordPress. Susceptible variations of WordPress stopped working to successfully sterilize the limitation argument of the link retrieval query in the get_bookmarks function, used to ensure that just a particular number of links were returned.