WordPress Core vulnerabilities hit millions of sites

WordPress announced that it has patched four vulnerabilities rated up to 8 on a scale of 1 to 10. The vulnerabilities are in the core of WordPress itself and are due to flaws introduced by the WordPress development team itself .

Four WordPress vulnerabilities

The WordPress announcement lacked details on the severity of the vulnerabilities and details were sparse.

However, the US government’s National Vulnerability Database, where vulnerabilities are recorded and published, rated vulnerabilities as high as 8.0 on a scale of 1 to 10, with ten representing the highest level of danger. raised.

The four vulnerabilities are:

  1. SQL injection due to lack of data cleansing in WP_Meta_Query (severity level high, 7.4)
  2. Multi-site authenticated object injection (average assessed severity level 6.6)
  3. Cross Site Scripting (XSS) stored via authenticated users (high severity, 8.0)
  4. SQL injection via WP_Query due to improper cleanup (high severity, 8.0)

Three of the four vulnerabilities were discovered by security researchers outside of WordPress. WordPress had no idea until they were notified.

The vulnerabilities were privately disclosed to WordPress, allowing WordPress to fix the issues before they became widely known.

WordPress development rushed in a dangerous way?

WordPress development slowed down in 2021 as they were unable to complete work on the latest version, 5.9, which saw that version of WordPress pushed to later in 2022.

There has been talk within WordPress of slowing the pace of development due to concerns about its ability to keep pace.

WordPress core developers themselves sounded the alarm at the end of 2021 over the pace of development, pleading for more time.

One of the developers warned:

“Overall, it looks like we’re rushing things in a dangerous way right now.”

Given that WordPress cannot meet its own release schedule and is considering cutting its 2022 release schedule from four to three, one has to wonder about the pace of WordPress development and whether more effort should be made to ensure that vulnerabilities are not inadvertently released to the public.

Data sanitization issues in WordPress

Data cleansing is a way to control the type of information that passes through the entries and into the database. The database contains information about the site, including passwords, usernames, user information, content, and other information necessary for the operation of the site.

WordPress Documentation describes data cleansing:

“Sanitizing is the process of cleaning or filtering your input data. Whether the data is coming from a user, an API, or a web service, you use cleaning when you don’t know what you’re looking for. expect or you don’t want to be strict with data validation.

the Documentation indicates that WordPress provides built-in helper functions to protect against malicious input and that using these helper functions requires minimal effort.

WordPress anticipates sixteen types of ingress vulnerabilities and provides solutions to block them.

So it’s surprising that input sanitization issues still appear at the very core of WordPress itself.

There were two high-level vulnerabilities related to improper disinfection:

  • WordPress: SQL injection due to poor cleanup in WP_Meta_Query
    Due to lack of proper sanitization in WP_Meta_Query, there is potential for indiscriminate SQL injection
  • WordPress: SQL Injection via WP_Query
    Due to poor sanitization in WP_Query, there may be cases where SQL injection is possible through plugins or themes that use it in some way.

The other vulnerabilities are:

  • WordPress: Injection of authenticated objects in multisites
    On a multisite, users with the super admin role can circumvent explicit/additional hardening under certain conditions through object injection.
  • WordPress: XSS stored via authenticated users
    Low-privilege authenticated users (like the author) in WordPress core can run JavaScript/perform stored XSS attack, which can affect high-privilege users.

WordPress recommends immediate update

Because the vulnerabilities are now out in the open, it’s important for WordPress users to ensure their WordPress installation is updated to the latest version, currently 5.8.3.

WordPress advised to update the installation immediately.


Read the official WordPress notice

WordPress Security Release 5.8.3

National Vulnerability Database Reports

Injection of authenticated objects in multisites

XSS stored via authenticated users

Bad sanitization in WP_Query

SQL injection due to bad sanitization in WP_Meta_Query

Comments are closed.