state-of-wordpress-security-in-2023

WordPress 6.0.3 Security Update – 16 Vulnerabilities That Must Be Fixed

The WordPress 6.0.3 Security Update contains patches for many vulnerabilities, most of which are low in severity or require a highly privileged user account or additional vulnerable code to exploit.

We want to share these vulnerabilities so you know them and take action to avoid a potentially hacked site.

1. Authenticated (Contributor+) Stored Cross-Site Scripting via RSS Widget/Block
Affected Versions: WordPress Core < 6.0.3 & Gutenberg < 14.3.1
Researcher:  N/A
CVE ID: Pending
CVSS Score: 6.4(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54543

A contributor-level attacker could create a page on a site they controlled that returned an error code and a malicious script in the Content-Type response header. 

2. Authenticated Stored Cross-Site Scripting via Search Block
Affected Versions: WordPress Core < 6.0.3 & Gutenberg < 14.3.1
Researcher: Alex Concha
CVE ID: Pending
CVSS Score: 6.4(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54543

It is possible for users that can edit posts to inject malicious JavaScript via the Search Block’s Text color and Background color attributes. 

Description: Authenticated Stored Cross-Site Scripting via Featured Image Block
Affected Versions: WordPress Core < 6.0.3 & Gutenberg < 14.3.1
Researcher: N/A
CVE ID: Pending
CVSS Score: 6.4(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.0.3
Changeset: https://core.trac.wordpress.org/changeset/54543

Enjoying this article?
Share it on social media!

Check out another blog post!

Back to all Blog posts
Subscribe to our Newsletter

Subscribe

This field is for validation purposes and should be left unchanged.
Copyright © 2025 All Rights Reserved to Bright Plugins
arrow-leftarrow-right linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram
Malcare WordPress Security