WordPress vulnerabilities detected on version 6.8.2

  • lohanelbt

    (@lohanelbt)


    6 months, 1 week ago

    Hello,

    I’m using WordPress version 6.8.2 (or earlier) on my site. Today, my security plugin (Solid Security Basic, powered by Patchstack) reported the following unresolved vulnerabilities:

    • Sensitive Data Exposure – affecting WordPress ≤ 6.8.2
    • Cross-Site Scripting (XSS) – affecting WordPress ≤ 6.8.2

    Both are currently marked as Low priority, but still unresolved. Real-time updates and virtual patching are inactive on my setup.

    Are you currently working on a fix for these issues, and if so, when is it expected to be released?

    Thank you in advance for your help!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator threadi

    (@threadi)

    6 months, 1 week ago

    Can you please post more than just the titles of the two reports? There should also be CVE numbers that can be used to determine exactly which component is involved.

    Thread Starter lohanelbt

    (@lohanelbt)

    6 months, 1 week ago

    CVE-2025-58246

    CVE-2025-58674

    Here,

    Moderator threadi

    (@threadi)

    6 months, 1 week ago

    Thank you very much for the information. I can’t find anything about both CVEs in Core Trac. According to Patchstack, the Core Security Team has already been informed. Therefore, it is possible that this issue is not being dealt with publicly for security reasons.

    You can read about how expert volunteers working on open source software deal with security reports here: https://wordpress.org/about/security/

    You therefore have the following options:

    • Wait until the WordPress Security Team publishes something about it. This could be a patch that is integrated into the core and a subsequent WordPress release.
    • Report the issue to the security team yourself using the methods described at https://wordpress.org/about/security/. I’m not sure if this makes sense, as according to Patchstack, the team is already aware of the issue.
    • Open a ticket in Core Trac. However, this could result in it being closed immediately, as the security team is already working on it in a yet not public ticket.

    However, I also see that neither CVE is likely to be a target for exploits. Therefore, based on the classification, I would say that they pose only a low risk, judging from what I read there without knowing any details (like you).

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘WordPress vulnerabilities detected on version 6.8.2’ is closed to new replies.