Hi @shron_shron77
Thanks for flagging this with us. I’m guessing from your message that you got this notification while scanning using a security plugin (such as WordFence or Sucuri), is that right?
This could be because hosting providers that provide managed WordPress hosting leave old WordPress files in place and set permissions so that they can’t be deleted.
Please reach out to your hosting provider about this error, and they should be able to fix this for you.
Let us know if you have any other questions.
@harishanker: This is a known bug that’s being tracked in the issue linked above, and scheduled to be fixed in 5.8.1. It’s not a hosting- or plugin-related problem.
My bad, I stand corrected, @gappiah. Sorry I missed your reply before I commented! I hope this bug gets fixed soon. Thanks for the flag and the helpful reply, George!
I wander how long before this vulnerability is exploited hopefully a fix comes sooner rather than later.
Moderator
James Huff
(@macmanx)
Volunteer Moderator
It’s not a vulnerability @thyran
4 CSS files used by WordPress 5.7, but not 5.8, were simply not removed during update to 5.8.
They will be removed when updating to WordPress 5.8.1 when it’s released later.
For more details, see https://core.trac.wordpress.org/ticket/53702
Again, this is not a vulnerability.
Thanks for that clarification my WAF picked it up as a threat a low one but still a threat so I assumed it was one since it detected it as one.
Reading online and it appears css files are not impervious to security vulnerabilities. I guess this is why it is detected as one.
Moderator
James Huff
(@macmanx)
Volunteer Moderator
I’m pretty sure they’re just detecting it as files that shouldn’t exist, but only they can answer why.
I can definitely confirm there are absolutely no vulnerabilities in these files.
Apologies if this question is dumb, but I also am getting a notification regarding the same 4 files on Sucuri.
Can I just delete them or do I need to add them to an old file? Thanks in advance!
Moderator
James Huff
(@macmanx)
Volunteer Moderator
You can just delete them.
And after upgrading to 5.9, now this list appears (in Sucuri):
- wp-includes/blocks/heading/editor-rtl.css
- wp-includes/blocks/heading/editor-rtl.min.css
- wp-includes/blocks/heading/editor.css
- wp-includes/blocks/heading/editor.min.css
- wp-includes/blocks/post-content/editor-rtl.css
- wp-includes/blocks/post-content/editor-rtl.min.css
- wp-includes/blocks/post-content/editor.css
- wp-includes/blocks/post-content/editor.min.css
- wp-includes/blocks/query-title/editor-rtl.css
- wp-includes/blocks/query-title/editor-rtl.min.css
- wp-includes/blocks/query-title/editor.css
- wp-includes/blocks/query-title/editor.min.css
- wp-includes/blocks/tag-cloud/editor-rtl.css
- wp-includes/blocks/tag-cloud/editor-rtl.min.css
- wp-includes/blocks/tag-cloud/editor.css
- wp-includes/blocks/tag-cloud/editor.min.css
Is this something that needs to be patched after every upgrade? Are deleted files not tracked, and auto-deleted when the upgrade happens?
(This is not a hosted WP installation, BTW.)
Thanks.
Moderator
James Huff
(@macmanx)
Volunteer Moderator
Hm, I don’t see those files in a fresh download, and I don’t see them on any of my updated sites either.
And, it seems like this was fixed before the final public release of 5.9 shipped: https://core.trac.wordpress.org/ticket/54894
Did you run one of the alphas, betas, or RC of 5.9 at any point?
