The WordPress community started 2024 with great excitement, especially with WordPress 6.5 just around the corner and State of the Word 2023.
That said, the excitement isn’t stopping the WordPress community from being vigilant. In fact, we had a security update for WordPress core and many popular plugins fixed security issues. Let’s round up important WordPress news from January!
WordPress Update 6.4.3
Starting the year, we had a security update with the release of WordPress 6.4.3. The update contains five bug fixes in the core and 16 for the block editor. Most importantly, two security patches are included.
The first security patch fixed the problem with one Bypass PHP file upload vulnerability through the add-on installer. This security flaw allows administrators to upload PHP files to the WordPress installation using the plugin uploader. If admin credentials are leaked, attackers can easily upload PHP-based malware to your WordPress site from this feature.
The second security patch addressed a Remote Code Execution (RCE) vulnerability through it Property Oriented Programming (BUTTER) chain. This means that someone who shouldn’t have access can secretly receive harmful commands during a certain data manipulation step. These unwanted actions could include adding or deleting content, changing user information, or even taking complete control of the site.
Both vulnerabilities can only be exploited if the attacker has administrative privileges, making them a low threat. However, it is possible to launch a successful attack if an unauthorized person gains access to an administrator user.
To anticipate attacks on sites with older versions, the WordPress team applied these updates to older versions, up to 4.1.
If you enable automatic updates for minor releases, this WordPress update should be installed automatically. If you’re not sure, read our guide on how to check your WordPress version and be sure to update your WordPress site immediately if you’re still using an older version.
Important plugin vulnerability discoveries
The core WordPress software isn’t the only one getting security patches in January. Based on the Patchstack database, several vulnerabilities were found in popular plugins. We have listed some of the notable high severity vulnerabilities. If you use any of these plugins, be sure to update to the latest version.
AI Engine
The AI Engine plugin, one of the pioneers of WordPress AI plugins, had a major flaw in versions prior to 1.9.98. This flaw allowed attackers to upload any file they wanted to the site’s server, such as malware, to damage or take control of your site.
Update to version 1.9.99 will close this security loophole, protecting your site from malicious uploads.
Replace better search
The Better Search Replace plugin had a security flaw in versions 1.4.4 and later where attackers could inject malicious PHP objects.
This could lead to serious issues like SQL injection, where attackers could manipulate your site’s database, and arbitrary code execution, where they could execute any code they choose on your site. If this happens, your site may be vulnerable to unauthorized changes, data theft, or even a complete takeover.
Update to version 1.4.5 will fix this vulnerability issue and keep your site safe.
LearnPress
LearnPress, a widely used plugin for creating online courses, had a security issue in versions 4.2.5.7 and later. This issue allowed attackers to perform SQL injection and remote code execution to access sensitive information in the site’s database and execute malicious code directly on your site.
Worryingly, Patchstack has reported exploit attempts for this issue, so it is highly recommended that you update LearnPress to the 4.2.5.8.
Photos
The Photo Gallery plugin had a security flaw known as a directory traversal issue. This allowed attackers to look at files in a directory on your site and check if specific files or folders existed.
While this may not seem like an immediate risk, it could give attackers clues about other vulnerabilities in your WordPress site. By exploiting these vulnerabilities, they could launch more serious attacks.
It is important to update the plugin to the version 1.8.20 to maintain the overall security of your website.
Early test for WordPress 6.5
The first beta version of WordPress 6.5 is scheduled to be released on February 13, 2024. You can already try out some of the upcoming features in the block editor.
WordPress 6.5 is scheduled to receive features from Gutenberg versions up to version 17.6. Just install the Gutenberg plugin with the latest version and start exploring the new features.
Anne McCarthy, a long-time core contributor, has posted a comprehensive list of features that are ready for testing. Here are the highlights:
- The pattern skips – the ability to modify the content of a synchronized pattern specifically on each post or page. This way, you can use synchronized patterns to ensure design consistency, but have the text within them adapted for different contexts.
- Data filter in the site editor – while currently under the experimental tag in the Gutenberg plugin, the new data view allows you to filter and sort templates, template parts, and patterns based on multiple variables. This is useful when dealing with a large pattern library.
- Font library – the new interface allows you to upload custom fonts and connect to Google Fonts. So you can expand your website’s typography options beyond what’s included in the current theme.
Testing WordPress 6.5 before its official release can be incredibly beneficial. It allows you to identify and resolve any issues in advance, such as bugs or conflicts with your theme. This proactive approach ensures that your site remains smooth and functional when the new version is released.
You can also report any bugs or suggest improvements to the Gutenberg team in the GitHub repository and help make the final version more stable and user-friendly. Your feedback not only helps improve the overall quality of the update – it also ensures a better experience for the entire WordPress community.
Stay tuned to our blog as we publish a full preview of WordPress 6.5.
What’s coming in February
This month, we will see another WordPress release cycle begin with the release of the first beta version. You can read the full roadmap to see what to expect in the new version. Here’s a look at some interesting ones:
- Appearance tools, part of the customization tools for block editor and block themes, will be available for classic themes.
- New theme management panel access will be added to classic themes dashboard to improve user experience.
- Improving the Interactivity API to make websites more interactive and fun without slowing them down or making them complicated to use.
We recommend that you try the beta version as soon as it is available, so that you can test the new features and report any of its problems.
Leo is a content expert and WordPress contributor. Armed with his experience as a Co-Lead and Spokesperson for the WordPress Documentation Team, he enjoys sharing his knowledge to help people build successful websites. Follow him on LinkedIn.
