Advertisement
  1. SEJ
  2.  ⋅ 
  3. WordPress

WordPress Core Vulnerabilities Hits Millions of Sites

WordPress announced high threat level vulnerabilities that were introduced by the core development team itself

WordPress Core Vulnerabilities Hits Millions of Sites

WordPress announced it has patched four vulnerabilities that are rated as high as 8 on a scale of 1 to 10. The vulnerabilities are in the WordPress core itself and are due to flaws introduced by the WordPress development team itself.

Four WordPress Vulnerabilities

The WordPress announcement was short of details of how severe the vulnerabilities were and the details were scant.

However the United States Government National Vulnerability Database where vulnerabilities are logged and publicized rated the vulnerabilities as high as 8.0 on a scale of 1 to 10, with ten representing the highest danger level.

The four vulnerabilities are:

  1. SQL injection due to lack of data sanitization in WP_Meta_Query (severity level rated high, 7.4)
  2. Authenticated Object Injection in Multisites (severity level rated medium 6.6)
  3. Stored Cross Site Scripting (XSS) through authenticated users (severity level rated high, 8.0)
  4. SQL Injection through WP_Query due to improper sanitization (severity level rated high, 8.0)

Three out of four of the vulnerabilities were discovered by security researchers outside of WordPress. WordPress had no idea until they were notified.

The vulnerabilities were privately disclosed to WordPress, which allowed WordPress to fix the problems before they became widely known.

WordPress Development Rushed in a Dangerous Way?

WordPress development slowed down in 2021 because they were unable to finish work on the latest release, 5.9, which saw that version of WordPress pushed back to later in 2022.

There has been talk within WordPress of slowing down the pace of development because of concern for the ability to keep up.

The WordPress core developers themselves raised the alarm in late 2021 about the pace of development, pleading for more time.

One of the developers warned:

“Overall, it seems like right now we are rushing things in a dangerous way.”

Given how WordPress cannot keep to its own release schedule and is discussing scaling back their 2022 release calendar from four releases to three, one has to question the pace of WordPress development and whether more effort should be made to assure that vulnerabilities are not inadvertently released to the public.

Data Sanitization Problems in WordPress

Data sanitization is way to control what kind of information gets through inputs and into the database. The database is what holds information about the site, including passwords, usernames, user information, content and other information that is necessary for the site to function.

WordPress documentation describes data sanitization:

“Sanitization is the process of cleaning or filtering your input data. Whether the data is from a user or an API or web service, you use sanitizing when you don’t know what to expect or you don’t want to be strict with data validation.”

The documentation states that WordPress provides built-in helper functions to protect against malicious inputs and that the use of these helper functions requires minimal effort.

WordPress anticipates sixteen kinds of input vulnerabilities and provides solutions to block them.

So it’s surprising that the input sanitization issues should still appear in the very core of WordPress itself.

There were two high level vulnerabilities related to improper sanitization:

  • WordPress: SQL injection due to improper sanitization in WP_Meta_Query
    Due to lack of proper sanitization in WP_Meta_Query, there’s potential for blind SQL Injection
  • WordPress: SQL Injection through WP_Query
    Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way.

The other vulnerabilities are:

  • WordPress: Authenticated Object Injection in Multisites
    On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection.
  • WordPress: Stored XSS through authenticated users
    Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users.

WordPress Recommends Updating Right Away

Because the vulnerabilities are now in the open it is important that WordPress users make sure their WordPress installation is updated to the latest version, currently 5.8.3.

WordPress advised updating the installation immediately.

Citations

Read the Official WordPress Notice

WordPress 5.8.3 Security Release

National Vulnerability Database Reports

Authenticated Object Injection in Multisites

Stored XSS through authenticated users

Improper sanitization in WP_Query

SQL injection due to improper sanitization in WP_Meta_Query

Category News WordPress
ADVERTISEMENT
SEJ STAFF Roger Montti Owner - Martinibuster.com at Martinibuster.com

I have 25 years hands-on experience in SEO, evolving along with the search engines by keeping up with the latest ...