Connect with us

NEWS

WordPress 5.7.2 Patches a Critical Vulnerability

Published

on

Wordpress Patch

A WordPress vulnerability rated as critical has been patched. The patch is applied to WordPress version 5.7.2. Sites opted into automatic download should be receiving this update without any additional action by publishers.

Publishers are encouraged to check what WordPress version they are using to make sure they are updated to version 5.7.2.

Object Injection Vulnerability

The vulnerability that is affecting WordPress is called an Object Injection vulnerability. Specifically, it is an object injection in PHPMailer vulnerability.

According to the Owasp.org security website, this is the definition of a PHP Object Injection vulnerability:

“PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context.

The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function.

Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.”

WordPress Vulnerability Rated as Critical

The vulnerability is rated at near the highest rating level of danger. On a scale of 1 to 10 using the Common Vulnerability Scoring System (CVSS), this vulnerability is rated at 9.8.

The Patchstack security website published the official United States government vulnerability rating.

Advertisement

WordPress Vulnerability Rated Critical

Screenshot of WordPress Vulnerability Rating
WordPress vulnerability is rated 9.8 on a scale of 1 – 10.

According to the Patchstack security site that published details of the vulnerability:

“Details

Object injection in PHPMailer vulnerability discovered in WordPress (one security issue affecting WordPress versions between 3.7 and 5.7).

SOLUTION

Update the WordPress to the latest available version (at least 5.7.2). All WordPress versions since 3.7 have also been updated to fix the following security issue.”

The official WordPress announcement for WordPress 5.7.2 stated:

“Security updates
One security issue affects WordPress versions between 3.7 and 5.7.

If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the following security issues:

Object injection in PHPMailer”

The official United States government National Vulnerability Database website that announces vulnerabilities noted that this problem happened because a fix for a previous vulnerability created a new one.

The U.S Government National Vulnerability Database describes the vulnerability like this:

Advertisement

“PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname.

NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts.

As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.”

National Vulnerability Database Rates WordPress Vulnerability as Critical

WordPress Vulnerability rated as Critical

Update WordPress Immediately

Publishers who use WordPress should consider checking if their WordPress installations are the latest. The most current version of WordPress is version 5.7.2.

Because the vulnerability rating is critical it may mean that the consequences of not updating WordPress to version 5.7.2 may leave a site vulnerable to a hacking event.

Citation

WordPress Announcement of Version 5.7.2

Searchenginejournal.com

NEWS

Google December Product Reviews Update Affects More Than English Language Sites? via @sejournal, @martinibuster

Published

on

Google’s Product Reviews update was announced to be rolling out to the English language. No mention was made as to if or when it would roll out to other languages. Mueller answered a question as to whether it is rolling out to other languages.

Google December 2021 Product Reviews Update

On December 1, 2021, Google announced on Twitter that a Product Review update would be rolling out that would focus on English language web pages.

The focus of the update was for improving the quality of reviews shown in Google search, specifically targeting review sites.

A Googler tweeted a description of the kinds of sites that would be targeted for demotion in the search rankings:

“Mainly relevant to sites that post articles reviewing products.

Think of sites like “best TVs under $200″.com.

Goal is to improve the quality and usefulness of reviews we show users.”

Advertisement

Advertisement

Continue Reading Below

Google also published a blog post with more guidance on the product review update that introduced two new best practices that Google’s algorithm would be looking for.

The first best practice was a requirement of evidence that a product was actually handled and reviewed.

The second best practice was to provide links to more than one place that a user could purchase the product.

The Twitter announcement stated that it was rolling out to English language websites. The blog post did not mention what languages it was rolling out to nor did the blog post specify that the product review update was limited to the English language.

Google’s Mueller Thinking About Product Reviews Update

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Product Review Update Targets More Languages?

The person asking the question was rightly under the impression that the product review update only affected English language search results.

Advertisement

Advertisement

Continue Reading Below

But he asserted that he was seeing search volatility in the German language that appears to be related to Google’s December 2021 Product Review Update.

This is his question:

“I was seeing some movements in German search as well.

So I was wondering if there could also be an effect on websites in other languages by this product reviews update… because we had lots of movement and volatility in the last weeks.

…My question is, is it possible that the product reviews update affects other sites as well?”

John Mueller answered:

“I don’t know… like other languages?

My assumption was this was global and and across all languages.

But I don’t know what we announced in the blog post specifically.

Advertisement

But usually we try to push the engineering team to make a decision on that so that we can document it properly in the blog post.

I don’t know if that happened with the product reviews update. I don’t recall the complete blog post.

But it’s… from my point of view it seems like something that we could be doing in multiple languages and wouldn’t be tied to English.

And even if it were English initially, it feels like something that is relevant across the board, and we should try to find ways to roll that out to other languages over time as well.

So I’m not particularly surprised that you see changes in Germany.

But I also don’t know what we actually announced with regards to the locations and languages that are involved.”

Does Product Reviews Update Affect More Languages?

While the tweeted announcement specified that the product reviews update was limited to the English language the official blog post did not mention any such limitations.

Google’s John Mueller offered his opinion that the product reviews update is something that Google could do in multiple languages.

Advertisement

One must wonder if the tweet was meant to communicate that the update was rolling out first in English and subsequently to other languages.

It’s unclear if the product reviews update was rolled out globally to more languages. Hopefully Google will clarify this soon.

Citations

Google Blog Post About Product Reviews Update

Product reviews update and your site

Google’s New Product Reviews Guidelines

Write high quality product reviews

John Mueller Discusses If Product Reviews Update Is Global

Watch Mueller answer the question at the 14:00 Minute Mark

[embedded content]

Searchenginejournal.com

Continue Reading

DON'T MISS ANY IMPORTANT NEWS!
Subscribe To our Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

Trending

en_USEnglish