On March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well as two medium-severity issues. The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts. Because this is a security release, it is recommended that you update your sites immediately. Note, that in order to avoid web site crashes and to assure timely security updates it is best to use our WordPress Maintenance Service.
WordPress < 5.9.2 – Prototype Pollution in jQuery
The jQuery library used in WordPress is affected by a Prototype Pollution issue
WordPress (5.9-5.9.1) / Gutenberg (9.8.0-12.7.1) – Contributor+ Stored Cross-Site Scripting
Post authors are able to bypass KSES restrictions in WordPress >= 5.9 (and or Gutenberg >= 9.8.0) due to the order filters are executed, which could allow them to perform to Stored Cross-Site Scripting attacks.
WordPress < 5.9.2 / Gutenberg < 12.7.2 – Prototype Pollution via Gutenberg’s wordpress/url package
The @wordpress/url package used in WordPress and the Gutenberg plugin is affected by a Prototype Pollution issue.
Read more about this bug: external link here.