WordPress 5.8.3 security updatepublished: 19:13:54 19/01/2022
Since so much of the Web is actually just styled WordPress PHP, I thought it was worth noting
that the WordPress core code itself has just received an update that might be important.
As we all know, by far WordPress's biggest security headaches arise because WordPress is, by
design, a user-extensible platform, and those who are extending it don't necessarily need to be
highly skilled in PHP coding or security before offering well-intentioned though horribly insecure
add-ons, many of which become highly popular before someone who is highly skilled in PHP and
security takes a look at what everyone is using and immediately sounds the alarm.
Consequently, this podcast is routinely passing along the news that this or that highly-used
WorkPress add-on needs to be updated with the result of professional oversight.
But not this time. This time, WordPress itself is in need of some TLC. Yesterday's just released
v5.8.3 is not ultra-critical but it's probably worth getting around to for anyone who's not using
WordPress's automatic updating mechanisms. The update eliminates four vulnerabilities, three
rated as highly important.
● CVE-2022-21661 is a high severity (CVSS score 8.0) SQL injection via WP_Query. This flaw
is exploitable via plugins and themes that use WP-Query. It can and should be applied to
versions down to 3.7.37, so it's been around for quite a while.
● CVE-2022-21662 is also high severity (CVSS score 8.0) XSS vulnerability allowing authors,
which is to say lower privilege users, to add a malicious backdoor or take over a site by
abusing post slugs. The fix also covers WordPress versions down to 3.7.37.
● CVE-2022-21664 is the third hgh severity flow, though with a CVSS score of 7.4. It's the
second SQL injection, this time via the WP_Meta_Query core class. It covers WordPress
versions down to 4.1.34.
● CVE-2022-21663 is the medium severity (CVSS score 6.6) object injection issue that can
only be exploited if an attacker has compromised the admin account. The fix covers
WordPress versions down to 3.7.37.
So far there have been no reports of these ever being seen being exploited in the wild. But
WordPress being PHP means that anyone who's inquisitive will be able to quickly determine what
the flaws have long been, and may attempt to use them in attacks. So, again, not super critical,
but worth doing. CVSS's of 8 should not be left in place if given a choice.
If you need help updateing and checking your wordperess website please contect us