WordPress Core recently released v6.5.2, fixing a Stored Cross‑Site Scripting issue in the Avatar block present in the 6.x versions. While investigating the patch made, we identified that it could lead to an Unauthenticated Stored Cross‑Site Scripting issue in the worse case scenario, however this case requires a specific configuration.
Versions 6.5.2, 6.4.4, 6.3.4, 6.2.5, 6.1.6 and 6.0.8 have been released to fix this issue. If your blog is using any 6.x version of WordPress core, it is strongly recommended that you update to one of those versions to be safe.
The patch released added escaping to the Author name which was previously output in the aria‑label attribute of the Author archive link unescaped, leading to the Stored Cross‑Site Scripting issue.
To reach the vulnerable code, some specific theme settings, which are disabled by default in themes like Twenty Twenty‑Four, need to be enabled in the Avatar block. Any user with permission to add blocks to a post/page (i.e. Contributor and above) could set the settings proporly and exploit this. Furthermore, if the Avatar block is used in a comment (and is configured properly, which depends on the site settings which are configured by an admin user), an unauthenticated attacker could exploit this as well.
We were able to successfully reproduce both cases, and the proof of concept will be released in the related advisory on wpscan.com on May 8th, 2024.
WPScan 