Main WordPress vulnerabilities affect millions of sites

WordPress announced that it fixed four vulnerabilities rated up to 8 on a scale of 1 to 10. The vulnerabilities are found in the core of WordPress itself and are due to vulnerabilities introduced by the WordPress development team itself. .

Four WordPress vulnerabilities

WordPress’ announcement lacked details on the severity of the vulnerabilities and details were scarce.

However, the United States Government’s National Vulnerability Database, where vulnerabilities are recorded and made public, rated vulnerabilities up to 8.0 on a scale of 1 to 10, with ten representing the level of danger. The highest.

The four vulnerabilities are:

  1. SQL injection due to lack of data sanitization in WP_Meta_Query (high severity level, 7.4)
  2. Injection of authenticated objects into multisites (severity level rated average 6.6)
  3. Stored Cross Site Scripting (XSS) via Authenticated Users (High Severity, 8.0)
  4. SQL injection via WP_Query due to improper disinfection (high severity level, 8.0)


Continue reading below

Three of the four vulnerabilities were discovered by security researchers outside of WordPress. WordPress had no idea until they heard about it.

The vulnerabilities were privately disclosed to WordPress, which allowed WordPress to address the issues before they became widely known.

WordPress development rushed in a dangerous way?

WordPress development slowed down in 2021 as they were unable to complete work on the latest version, 5.9, which saw this version of WordPress postponed until 2022.

There has been talk within WordPress of slowing the pace of development because of the concern for the ability to keep up.

The main WordPress developers themselves sounded the alarm bells at the end of 2021 about the pace of development, arguing for more time.


Continue reading below

One of the developers warned:

“Overall, it looks like we’re rushing things in a dangerous way right now.”

Given that WordPress cannot meet its own release schedule and is discussing reducing its 2022 release schedule from four to three, one has to question the pace of WordPress development and whether more needs to be done. efforts to ensure that vulnerabilities are not inadvertently released. the public.

Data disinfection issues in WordPress

Data disinfection is a way to control the type of information that passes through the entries and into the database. The database contains information about the site, including passwords, user names, user information, content, and other information necessary for the site to function.

The WordPress documentation describes data disinfection:

“Disinfection is the process of cleaning or filtering your input data. Whether the data is coming from a user, an API, or a web service, you use disinfection when you don’t know what to expect or want to be strict with data validation.

The documentation states that WordPress provides built-in helper functions to protect against malicious input, and using these helper functions requires minimal effort.

WordPress anticipates sixteen types of entry vulnerabilities and provides solutions to block them.

So it’s surprising that entry cleanup issues still appear at the very heart of WordPress itself.


Continue reading below

There were two high-level vulnerabilities related to improper disinfection:

  • WordPress: SQL injection due to incorrect disinfection in WP_Meta_Query
    Due to lack of proper sanitation in WP_Meta_Query, there is potential for blind SQL injection
  • WordPress: SQL injection via WP_Query
    Due to improper disinfection in WP_Query, there may be cases where SQL injection is possible through plugins or themes that use it in a certain way.

The other vulnerabilities are:

  • WordPress: Injection of authenticated objects in multisites
    On a multisite, users with the super administrator role can bypass explicit / additional hardening under certain conditions through object injection.
  • WordPress: XSS stored through authenticated users
    Authenticated low privilege users (like the author) in the WordPress core are able to execute JavaScript / perform stored XSS attack, which can affect high privileged users.

WordPress recommends immediate update

Since the vulnerabilities are now open, it is important for WordPress users to ensure that their WordPress installation is updated to the latest version, currently 5.8.3.


Continue reading below

WordPress advised to update the installation immediately.


Read the official WordPress notice

WordPress Security Version 5.8.3

National Vulnerability Database Reports

Injection of authenticated objects into multisites

XSS stored through authenticated users

Incorrect disinfection in WP_Query

SQL injection due to incorrect disinfection in WP_Meta_Query

Esther L. Gunn