Support » Fixing WordPress » old wordpress files not removed after wp5.8 update

  • Resolved shron_shron77

    (@shron_shron77)


    Low Severity Problems:

    * Old WordPress core file not removed during update: wp-includes/css/dist/editor/editor-styles-rtl.css

    * Old WordPress core file not removed during update: wp-includes/css/dist/editor/editor-styles-rtl.min.css

    * Old WordPress core file not removed during update: wp-includes/css/dist/editor/editor-styles.css

    * Old WordPress core file not removed during update: wp-includes/css/dist/editor/editor-styles.min.css

    • This topic was modified 11 months, 1 week ago by Jan Dembowski.

    The page I need help with: [log in to see the link]

Viewing 13 replies - 1 through 13 (of 13 total)
  • Moderator Hari Shanker R

    (@harishanker)

    Hi @shron_shron77

    Thanks for flagging this with us. I’m guessing from your message that you got this notification while scanning using a security plugin (such as WordFence or Sucuri), is that right?

    This could be because hosting providers that provide managed WordPress hosting leave old WordPress files in place and set permissions so that they can’t be deleted.

    Please reach out to your hosting provider about this error, and they should be able to fix this for you.

    Let us know if you have any other questions.

    @harishanker: This is a known bug that’s being tracked in the issue linked above, and scheduled to be fixed in 5.8.1. It’s not a hosting- or plugin-related problem.

    Moderator Hari Shanker R

    (@harishanker)

    My bad, I stand corrected, @gappiah. Sorry I missed your reply before I commented! I hope this bug gets fixed soon. Thanks for the flag and the helpful reply, George!

    Thread Starter shron_shron77

    (@shron_shron77)

    thanks guys!

    I wander how long before this vulnerability is exploited hopefully a fix comes sooner rather than later.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    It’s not a vulnerability @thyran

    4 CSS files used by WordPress 5.7, but not 5.8, were simply not removed during update to 5.8.

    They will be removed when updating to WordPress 5.8.1 when it’s released later.

    For more details, see https://core.trac.wordpress.org/ticket/53702

    Again, this is not a vulnerability.

    Thanks for that clarification my WAF picked it up as a threat a low one but still a threat so I assumed it was one since it detected it as one.
    Reading online and it appears css files are not impervious to security vulnerabilities. I guess this is why it is detected as one.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    I’m pretty sure they’re just detecting it as files that shouldn’t exist, but only they can answer why.

    I can definitely confirm there are absolutely no vulnerabilities in these files.

    Apologies if this question is dumb, but I also am getting a notification regarding the same 4 files on Sucuri.

    Can I just delete them or do I need to add them to an old file? Thanks in advance!

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    You can just delete them.

    And after upgrading to 5.9, now this list appears (in Sucuri):

    1. wp-includes/blocks/heading/editor-rtl.css
    2. wp-includes/blocks/heading/editor-rtl.min.css
    3. wp-includes/blocks/heading/editor.css
    4. wp-includes/blocks/heading/editor.min.css
    5. wp-includes/blocks/post-content/editor-rtl.css
    6. wp-includes/blocks/post-content/editor-rtl.min.css
    7. wp-includes/blocks/post-content/editor.css
    8. wp-includes/blocks/post-content/editor.min.css
    9. wp-includes/blocks/query-title/editor-rtl.css
    10. wp-includes/blocks/query-title/editor-rtl.min.css
    11. wp-includes/blocks/query-title/editor.css
    12. wp-includes/blocks/query-title/editor.min.css
    13. wp-includes/blocks/tag-cloud/editor-rtl.css
    14. wp-includes/blocks/tag-cloud/editor-rtl.min.css
    15. wp-includes/blocks/tag-cloud/editor.css
    16. wp-includes/blocks/tag-cloud/editor.min.css

    Is this something that needs to be patched after every upgrade? Are deleted files not tracked, and auto-deleted when the upgrade happens?

    (This is not a hosted WP installation, BTW.)

    Thanks.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Hm, I don’t see those files in a fresh download, and I don’t see them on any of my updated sites either.

    And, it seems like this was fixed before the final public release of 5.9 shipped: https://core.trac.wordpress.org/ticket/54894

    Did you run one of the alphas, betas, or RC of 5.9 at any point?

Viewing 13 replies - 1 through 13 (of 13 total)
  • You must be logged in to reply to this topic.