[wp-trac] [WordPress Trac] #61489: 6.1.7 and 6.2.6 Updates Cause Critical Error
WordPress Trac
noreply at wordpress.org
Tue Jun 25 18:22:11 UTC 2024
#61489: 6.1.7 and 6.2.6 Updates Cause Critical Error
-------------------------------+------------------------------
Reporter: mping001 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Upgrade/Install | Version: 6.1
Severity: critical | Resolution:
Keywords: reporter-feedback | Focuses:
-------------------------------+------------------------------
Comment (by mping001):
Replying to [comment:27 mping001]:
> Replying to [comment:24 jorbin]:
> > > The automated update doesn't include the same default-filters.php
file that is included when updating the files manually
> >
> > The automated updates use those zips which is why I'm investigating
those.
> >
> > Walking through the default-filters file from
[https://core.trac.wordpress.org/browser/branches/6.3/src/wp-includes
/default-filters.php 6.3],
[https://core.trac.wordpress.org/browser/branches/6.4/src/wp-includes
/default-filters.php 6.4]. and
[https://core.trac.wordpress.org/browser/branches/6.5/src/wp-includes
/default-filters.php 6.5], none of them have the Footnotes Block code on
line 602 so I'm not sure where this file is coming from at all. Would
someone be able to upload the file they are seeing on a broken site?
>
> Ah sorry. We just had it happen to a site with 6.0.9 and it didn't take
the site down but put the error on the homepage for some reason.
> I uploaded the bad file here:
https://core.trac.wordpress.org/attachment/ticket/61489/default-filters-
error.php
> and good file here:
https://core.trac.wordpress.org/attachment/ticket/61489/default-filters-
good.php
>
> If I get another 6.1.7 or 6.2.6 I will add as well.
We have vulnerability patching detection that is triggering on the
default-filters.php with the following details:
Name:
XSS vulnerability in the footnotes block
Description:
The footnotes block is not adequately protected against an XSS attack.
This was not detected prior to the updates and we have patching disabled.
We keep having the issue come back on sites that we previously fixed and
have no idea why the file is being reverted. Nothing in the logs points to
anything replacing the file.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61489#comment:28>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list