WordPress announced a security update to fix two vulnerabilities that could provide an attacker with the opportunity to stage a full site takeover. Among the two vulnerabilities, the most serious one involves a stored cross site scripting (Stored XSS) vulnerability.
WordPress Stored Cross Site Scripting (XSS) Vulnerability
The WordPress XSS vulnerability was discovered by the WordPress security team within the core WordPress files.
A stored XSS vulnerability is one in which an attacker is able to upload a script directly to the WordPress website.
The locations of these kinds of vulnerabilities are generally anywhere that the WordPress site allows input, like submitting a post or a contact form.
Typically these input forms are protected with what is called Sanitization. Sanitization is simply a process for making the input only accept certain kinds of input, like text, and to reject (filter out) other kinds of input like a JavaScript file.
According to Wordfence, the affected WordPress files did perform sanitization in order to prohibit the upload of malicious files.
But the order in which the sanitization happened set up a situation where the sanitization could be bypassed.
Wordfence offered this insight into the patch that fixes this vulnerability:
“The patched version runs wp_filter_global_styles_post before wp_filter_post_kses so that any potential bypasses have already been processed and wp_kses can effectively sanitize them.”