Connect with us

SEO

WordPress Core Vulnerabilities Hits Millions of Sites

Published

on

WordPress Core Vulnerabilities Hits Millions of Sites

WordPress announced it has patched four vulnerabilities that are rated as high as 8 on a scale of 1 to 10. The vulnerabilities are in the WordPress core itself and are due to flaws introduced by the WordPress development team itself.

Four WordPress Vulnerabilities

The WordPress announcement was short of details of how severe the vulnerabilities were and the details were scant.

However the United States Government National Vulnerability Database where vulnerabilities are logged and publicized rated the vulnerabilities as high as 8.0 on a scale of 1 to 10, with ten representing the highest danger level.

The four vulnerabilities are:

  1. SQL injection due to lack of data sanitization in WP_Meta_Query (severity level rated high, 7.4)
  2. Authenticated Object Injection in Multisites (severity level rated medium 6.6)
  3. Stored Cross Site Scripting (XSS) through authenticated users (severity level rated high, 8.0)
  4. SQL Injection through WP_Query due to improper sanitization (severity level rated high, 8.0)

Advertisement

Continue Reading Below

Advertisement

Three out of four of the vulnerabilities were discovered by security researchers outside of WordPress. WordPress had no idea until they were notified.

The vulnerabilities were privately disclosed to WordPress, which allowed WordPress to fix the problems before they became widely known.

WordPress Development Rushed in a Dangerous Way?

WordPress development slowed down in 2021 because they were unable to finish work on the latest release, 5.9, which saw that version of WordPress pushed back to later in 2022.

There has been talk within WordPress of scaling back development. The WordPress core developers themselves raised the alarm about the pace of development, pleading for more time.

Advertisement

Continue Reading Below

Advertisement

One of the developers warned:

“Overall, it seems like right now we are rushing things in a dangerous way.”

Given how WordPress cannot keep to its own release schedule and is discussing scaling back their 2022 release calendar from four releases to three, one has to question the pace of WordPress development and whether more effort should be made to assure that vulnerabilities are not inadvertently released to the public.

Data Sanitization Problems in WordPress

Data sanitization is way to control what kind of information gets through inputs and into the database. The database is what holds information about the site, including passwords, usernames, user information, content and other information that is necessary for the site to function.

WordPress documentation describes data sanitization:

“Sanitization is the process of cleaning or filtering your input data. Whether the data is from a user or an API or web service, you use sanitizing when you don’t know what to expect or you don’t want to be strict with data validation.”

The documentation states that WordPress is supposed to include built-in helper functions to protect against malicious inputs and that the use of these  helper functions requires minimal effort.

According to WordPress’ own documentation these vulnerabilities are anticipated so it’s surprising that they should appear in the very core of WordPress itself.

Advertisement

Advertisement

Continue Reading Below

There were two high level vulnerabilities related to improper sanitization:

  • WordPress: SQL injection due to improper sanitization in WP_Meta_Query
    Due to lack of proper sanitization in WP_Meta_Query, there’s potential for blind SQL Injection
  • WordPress: SQL Injection through WP_Query
    Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way.

The other vulnerabilities are:

  • WordPress: Authenticated Object Injection in Multisites
    On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection.
  • WordPress: Stored XSS through authenticated users
    Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users.

WordPress Recommends Updating Right Away

Because the vulnerabilities are now in the open it is important that WordPress users make sure their WordPress installation is updated to the latest version, currently 5.8.3.

Advertisement

Continue Reading Below

WordPress advised updating the installation immediately.

Advertisement

Citations

Read the Official WordPress Notice

WordPress 5.8.3 Security Release

National Vulnerability Database Reports

Authenticated Object Injection in Multisites

Stored XSS through authenticated users

Improper sanitization in WP_Query

SQL injection due to improper sanitization in WP_Meta_Query




Source link

Advertisement
Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address