The WordPress development team released version 5.8.3, a short-cycle security release that addresses four vulnerabilities, three of which are rated of high importance.
The set includes an SQL injection on WP_Query, a blind SQL injection via the WP_Meta_Query, an XSS attack via the post slugs, and an admin object injection.
All of the issues have prerequisites for their exploitation, and most WordPress sites that use the default automatic core updates setting aren’t in danger.
WordPress 5.8.2 or Older Vulnerable
However, websites using WordPress 5.8.2 or older, with read-only filesystems that have disabled automatic core updates in wp-config.php, could be vulnerable to attacks based on the identified flaws.
The four flaws addressed with the latest security update are the following:
- CVE-2022-21661: High severity (CVSS score 8.0) SQL injection via WP_Query. This flaw is exploitable via plugins and themes that use WP-Query. Fixes cover WordPress versions down to 3.7.37.
- CVE-2022-21662: High severity (CVSS score 8.0) XSS vulnerability allowing authors (lower privilege users) to add a malicious backdoor or take over a site by abusing post slugs. Fixes cover WordPress versions down to 3.7.37.
- CVE-2022-21664: High severity (CVSS score 7.4) SQL injection via the WP_Meta_Query core class. Fixes cover WordPress versions down to 4.1.34.
- CVE-2022-21663: Medium severity (CVSS score 6.6) object injection issue that can only be exploited if a threat actor has compromised the admin account. Fixes cover WordPress versions down to 3.7.37.
There have been no reports of the above being under active exploitation in the wild, and none of these flaws is thought to have a severe potential impact on most WordPress sites.
Nonetheless, it is recommended that all WordPress site owners upgrade to version 5.8.3, review their firewall configuration, and ensure that WP core updates are activated.
This setting can be seen on the ‘define’ parameter in wp-config.php, which should be “define(‘WP_AUTO_UPDATE_CORE’, true );”
Automated core updates were introduced in 2013 on WordPress 3.7, and according to official stats, only 0.7% of all WP sites are currently running a version older than that.