WordPress January Roundup: Security Updates and WordPress 6.5 Early Test

The WordPress community started the year 2024 with great enthusiasm, especially with WordPress 6.5 just around the corner and the State of the Word 2023 keynote.

That said, the excitement doesn’t stop the WordPress community from being vigilant. In fact, we had a security update for WordPress core, and plenty of popular plugins fixed security issues. Let’s round up important WordPress news from January!

WordPress 6.4.3 Update

Kicking off the year, we had a security update with the release of WordPress 6.4.3. The update contains five bug fixes on the core and 16 for the block editor. Most importantly, two security patches are included.

The first security patch solved the issue with a PHP file upload bypass vulnerability via the plugin installer. This security flaw allows admin users to upload PHP files into the WordPress installation using the plugin uploader. If admin credentials are leaked, attackers can easily upload PHP-based malware to the WordPress site from this function.

The second security patch addressed a Remote Code Execution (RCE) vulnerability through the Property Oriented Programming (POP) chain. This means someone who shouldn’t have access can sneak in harmful commands during a specific step of data handling. These unwanted actions could include adding or deleting content, changing user information, or even taking complete control of the website.

Both vulnerabilities can only be exploited if the attacker has administrator privilege, which makes them a low threat. However, it’s possible to launch a successful attack if an unauthorized person gains access to an admin user.

To anticipate attacks on websites with older versions, the WordPress team also applied these updates to older versions, down to version 4.1.

If you enable automatic updates for minor releases, this WordPress update should be installed automatically. If you’re unsure, read our guide on how to check the WordPress version, and make sure to update your WordPress site immediately if you’re still using an older version.

Major Plugin Vulnerability Discoveries

WordPress core software is not the only one receiving security fixes in January. Based on the Patchstack database, plenty of vulnerabilities were detected on popular plugins. We’ve listed some of the notable vulnerabilities with high severity. If you’re using any of these plugins, be sure to update to the latest version.

AI Engine

The AI Engine plugin, one of the pioneers of WordPress AI plugins, had a critical flaw in versions before 1.9.98. This flaw allowed attackers to upload any file they wanted to the website’s server, such as malware, to damage or take control of your website.

Updating to version 1.9.99 will close this security loophole, protecting your website from malicious uploads.

Better Search Replace

The Better Search Replace plugin had a security flaw in versions 1.4.4 and below, where attackers could inject harmful PHP objects.

This could lead to serious issues like SQL injection, where attackers could manipulate your website’s database, and arbitrary code execution, where they could run any code they choose on your site. If this happens, your site can be vulnerable to unauthorized changes, data theft, or even a complete takeover.

Updating to version 1.4.5 will fix this vulnerability and keep your site safe.

LearnPress

LearnPress, a widely used plugin for creating online courses, had a security issue in versions 4.2.5.7 and below. This issue made it possible for attackers to perform an SQL injection and Remote Code Execution to access sensitive information on the website’s database and run harmful code directly on your site.

Worryingly, Patchstack reported exploitation attempts on this issue, so it’s highly advised that you update LearnPress to version 4.2.5.8.

Photo Gallery

The Photo Gallery plugin had a security flaw known as a directory traversal issue. This allowed attackers to look through the files in a directory on your website and check if certain files or folders were there.

Although this might not seem like an immediate danger, it could give attackers clues about other vulnerabilities on your WordPress site. By exploiting these vulnerabilities, they could launch more serious attacks.

It’s important to update the plugin to version 1.8.20 to maintain your site’s overall security.

Early Testing for WordPress 6.5

The first beta version of WordPress 6.5 is scheduled for release on February 13, 2024. You can already try some of the upcoming features in the block editor.

WordPress 6.5 is planned to take features from Gutenberg releases up to version 17.6. Simply install the Gutenberg plugin with the latest version and start exploring the new features.

Anne McCarthy, a long-time core contributor, published a comprehensive post listing features that are ready for testing. Here are the major highlights:

• Pattern overrides – the ability to modify a synced pattern’s content specifically to every post or page. This way, you can use synced patterns to ensure design consistency yet have the text inside them tailored for different contexts.

• Data filter in the site editor – while this is currently under the experimental label in the Gutenberg plugin, the new data view lets you filter and sort templates, template parts, and patterns based on several variables. This is useful when dealing with a big library of patterns.

• Font library – the new interface lets you upload custom fonts and connect to Google Fonts. So, you can expand the site’s typography options beyond what’s included in the current theme.

Testing WordPress 6.5 ahead of its official release can be incredibly beneficial. It allows you to identify and resolve any issues in advance, such as bugs or conflicts with your theme. This proactive approach ensures your site remains smooth and functional when the new version goes live.

You can also report any bugs or suggest improvements to the Gutenberg team on their GitHub repository and help make the final release more stable and user-friendly. Your feedback not only helps enhance the overall quality of the update – it also ensures a better experience for the entire WordPress community.

Stay tuned to our blog as we will publish a complete preview of WordPress 6.5.

What’s Coming in February

This month, we will see another WordPress release cycle begin with the launch of the first beta version. You can read the complete roadmap to see what to expect in the new version. Here’s a peek at some interesting ones:

• Appearance tools, part of customization tools for the block editor and block themes, will be available for classic themes.
• New access to the pattern management panel will be added to the dashboard for classic themes to improve users’ experience.
• Interactivity API refinement to make websites more interactive and fun without slowing them down or making them complicated to use.

We encourage you to test the beta once it’s available so you can try the new features and report any of its issues.