WordPress announced high threat level vulnerabilities that were introduced by the core development team itself
WordPress announced it has patched four vulnerabilities that are rated as high as 8 on a scale of 1 to 10. The vulnerabilities are in the WordPress core itself and are due to flaws introduced by the WordPress development team itself.
The WordPress announcement was short of details of how severe the vulnerabilities were and the details were scant.
However the United States Government National Vulnerability Database where vulnerabilities are logged and publicized rated the vulnerabilities as high as 8.0 on a scale of 1 to 10, with ten representing the highest danger level.
The four vulnerabilities are:
Three out of four of the vulnerabilities were discovered by security researchers outside of WordPress. WordPress had no idea until they were notified.
The vulnerabilities were privately disclosed to WordPress, which allowed WordPress to fix the problems before they became widely known.
WordPress development slowed down in 2021 because they were unable to finish work on the latest release, 5.9, which saw that version of WordPress pushed back to later in 2022.
There has been talk within WordPress of slowing down the pace of development because of concern for the ability to keep up.
The WordPress core developers themselves raised the alarm in late 2021 about the pace of development, pleading for more time.
One of the developers warned:
“Overall, it seems like right now we are rushing things in a dangerous way.”
Given how WordPress cannot keep to its own release schedule and is discussing scaling back their 2022 release calendar from four releases to three, one has to question the pace of WordPress development and whether more effort should be made to assure that vulnerabilities are not inadvertently released to the public.
Data sanitization is way to control what kind of information gets through inputs and into the database. The database is what holds information about the site, including passwords, usernames, user information, content and other information that is necessary for the site to function.
WordPress documentation describes data sanitization:
“Sanitization is the process of cleaning or filtering your input data. Whether the data is from a user or an API or web service, you use sanitizing when you don’t know what to expect or you don’t want to be strict with data validation.”
The documentation states that WordPress provides built-in helper functions to protect against malicious inputs and that the use of these helper functions requires minimal effort.
WordPress anticipates sixteen kinds of input vulnerabilities and provides solutions to block them.
So it’s surprising that the input sanitization issues should still appear in the very core of WordPress itself.
There were two high level vulnerabilities related to improper sanitization:
The other vulnerabilities are:
Because the vulnerabilities are now in the open it is important that WordPress users make sure their WordPress installation is updated to the latest version, currently 5.8.3.
WordPress advised updating the installation immediately.
WordPress 5.8.3 Security Release
Authenticated Object Injection in Multisites
Stored XSS through authenticated users
Improper sanitization in WP_Query
SQL injection due to improper sanitization in WP_Meta_Query
Get our daily newsletter from SEJ’s Founder Loren Baker about the latest news in the industry!
Roger Montti is a search marketer with over 20 years experience. I offer site audits, phone consultations and content and … [Read full bio]
Subscribe to our daily newsletter to get the latest industry news.
Subscribe to our daily newsletter to get the latest industry news.
