The WordPress development team released version 5.8.3, a short-cycle security release that addresses four vulnerabilities, three of which rated as critical.
The package includes a SQL injection on WP Query, a blind SQL injection via WP Meta Query, an XSS attack via post slugs. And an admin object injection.
All of the flaws require prerequisites exploited. And the vast majority of WordPress sites that employ the default automatic core updates configuration are safe.
Based on the identified flaws, WordPress 5.8.2 or earlier sites with read-only filesystems. And automatic core updates deactivated in wp-config.php exposed to attacks.
The following are the four flaws:
- CVE-2022-21661: SQL injection with high severity (CVSS score of 8.0) via WP Query. This flaw exploited by WP-Query plugins and themes. Fixes are available for WordPress versions as old as 3.7.37.
- CVE-2022-21662: High severity (CVSS score 8.0) By abusing post slugs, authors (lower privilege users) can add a malicious backdoor or take over a site. Fixes are available for WordPress versions as old as 3.7.37.
- CVE-2022-21664: SQL injection with high severity (CVSS score of 7.4) via the WP Meta Query core class. Fixes are available for WordPress versions as old as 4.1.34.
- CVE-2022-21663: Object injection vulnerability of medium severity (CVSS score 6.6) that can only be exploited if a threat actor has compromised the admin account. Fixes are available for WordPress versions as old as 3.7.37.
There no reports of the aforementioned flaws actively exploited in the wild. And none of these flaws thought to have a significant potential impact on most WordPress sites.
Nonetheless, all WordPress site owners advised to upgrade to version 5.8.3, review their firewall configuration. And ensure that WP core updates enabled.
Moreover, this setting can be found in the wp-config.php’define’ parameter, which should be “
define('WP_AUTO_UPDATE_CORE', true );”
Automated core updates were first introduced in WordPress 3.7 in 2013. And according to official statistics, only 0.7 percent of all WP sites are still running an older version.
You may also like: