Heavy WordPress core cross-site scripting vulnerability got patched by BitNinja’s AI File Patcher module with our latest release. This massive vulnerability - fixed in WP 6.5.2 exists in WP 6.4.4 - affects millions of websites and we recommend not to wait for the website owners to do this CMS update. You can fix this easily server-wide by updating BitNinja.

How this all got dangerous

The problem is, WordPress does not escape the Author name of its Avatar block when some settings are enabled, leading to Stored Cross-Site Scripting. In a default setup, contributor and above users could perform such an attack. However, if the blog is using the mentioned settings in the comment template, then unauthenticated users could exploit this.

Changelog

Patcher:

• Fixed an issue where some information could be missing while sending information to the API
• Added a new rule against WP-Core cross-site scripting (XSS) vulnerability

Process Analysis:

• A new module is included in this package: Process Analysis module capable of finding malware that only exist in memory. It is disabled by default and can not be enabled from the Console, as it's in a closed Beta state for now.

Please update your agent version or if you have specific settings or applications preventing automatic updates, you can follow our documentation on how to proceed to have the latest version installed.

If you'd like to read more about previous releases, check the Changelog anytime.

Alternatively, if you would like to see your feature request show up here, don't forget to cast your vote.