Jump to content
  • WordPress 5.8.3 security update fixes SQL injection, XSS flaws


    Karlston

    • 936 views
    • 2 minutes
     Share


    • 936 views
    • 2 minutes

    The WordPress development team released version 5.8.3, a short-cycle security release that addresses four vulnerabilities, three of which are rated of high importance.

     

    The set includes an SQL injection on WP_Query, a blind SQL injection via the WP_Meta_Query, an XSS attack via the post slugs, and an admin object injection.

     

    All of the issues have prerequisites for their exploitation, and most WordPress sites that use the default automatic core updates setting aren't in danger.

     

    However, sites using WordPress 5.8.2 or older, with read-only filesystems that have disabled automatic core updates in wp-config.php, could be vulnerable to attacks based on the identified flaws.

     

    The four flaws addressed with the latest security update are the following:

     

    • CVE-2022-21661: High severity (CVSS score 8.0) SQL injection via WP_Query. This flaw is exploitable via plugins and themes that use WP-Query. Fixes cover WordPress versions down to 3.7.37.
    • CVE-2022-21662: High severity (CVSS score 8.0) XSS vulnerability allowing authors (lower privilege users) to add a malicious backdoor or take over a site by abusing post slugs. Fixes cover WordPress versions down to 3.7.37.
    • CVE-2022-21664: High severity (CVSS score 7.4) SQL injection via the WP_Meta_Query core class. Fixes cover WordPress versions down to 4.1.34.
    • CVE-2022-21663: Medium severity (CVSS score 6.6) object injection issue that can only be exploited if a threat actor has compromised the admin account. Fixes cover WordPress versions down to 3.7.37.

     

    There have been no reports of the above being under active exploitation in the wild, and none of these flaws is thought to have a severe potential impact on most WordPress sites.

     

    Nonetheless, it is recommended that all WordPress site owners upgrade to version 5.8.3, review their firewall configuration, and ensure that WP core updates are activated.

     

    This setting can be seen on the 'define' parameter in wp-config.php, which should be "define('WP_AUTO_UPDATE_CORE', true );"

     

    Automated core updates were introduced in 2013 on WordPress 3.7, and according to official stats, only 0.7% of all WP sites are currently running a version older than that.

     

     

    WordPress 5.8.3 security update fixes SQL injection, XSS flaws


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...