A critical WordPress vulnerability has been patched. Despite the fact that the exploit is classified as critical, one security researcher believes that it is unlikely that the vulnerability will be exploited.
WordPress version 5.7.2 has been patched. Publishers should be receiving this update without any additional action from sites that have opted into automatic download.
Publishers are encouraged to check which version of WordPress they are using and update to version 5.7.2.
Vulnerability to Object Injection
Object Injection is the name of the vulnerability that is affecting WordPress. It’s an object injection vulnerability in PHPMailer, specifically.
This is the definition of a PHP Object Injection vulnerability, according to the Owasp.org security website:
“PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context.
The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function.
Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.”
Vulnerability in WordPress Critically acclaimed
The vulnerability is rated near the top of the criticality scale. This vulnerability is rated 9.8 on a scale of 1 to 10 by the Common Vulnerability Scoring System (CVSS).
The official US government vulnerability rating was published on the Patchstack security website.
According to the Patchstack security website, which published the vulnerability’s details:
Object injection in PHPMailer vulnerability discovered in WordPress (one security issue affecting WordPress versions between 3.7 and 5.7).
Update the WordPress to the latest available version (at least 5.7.2). All WordPress versions since 3.7 have also been updated to fix the following security issue.”
According to the official WordPress announcement for WordPress 5.7.2,
One security issue affects WordPress versions between 3.7 and 5.7.
If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the following security issues:
Object injection in PHPMailer”
This problem occurred because a fix for a previous vulnerability created a new one, according to the official United States government National Vulnerability Database website, which announces vulnerabilities
The vulnerability is described as follows by the US Government’s National Vulnerability Database:
“PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname.
NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts.
As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.”
Rates from the National Vulnerability Database As a Critical Vulnerability
There’s No Need to Worry, Says WordFence
There’s no need to be concerned, according to Wordfence security researchers. Wordfence, in their expert opinion, downplayed the chances of an exploit occurring as a result of this flaw.
“In our assessment, successfully exploiting this vulnerability would require a large number of factors to line up, including the presence of at least one additional vulnerability in a plugin or other component installed on the site as well as the presence of a vulnerable magic method.
We are also currently unaware of any plugins that could be used to exploit this vulnerability even as a site administrator.
This is unlikely to be used as an intrusion vector, though it is possible that it could be used by attackers who have already gained some level of access to escalate their privileges.”
Immediately update WordPress
Publishers who use WordPress should check to see if their installations are up to date. WordPress version 5.7.2 is the most recent version.
Because the vulnerability rating is critical, it’s possible that failing to update WordPress to version 5.7.2 will leave a site vulnerable to a hacking attack.
You may also like: