title text on emoji wearing mask

WordPress 5.8.3 Security Release

On January 6, 2022, the WordPress core team released WordPress version 5.8.3, which contains security patches for 4 high-severity vulnerabilities. These patches were backported to every version of WordPress since 3.7.

WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites will have received these patches automatically and are no longer vulnerable.

Let me repeat that. Most WordPress sites are not in danger from these vulnerabilities, thanks to the WordPress core team deploying patches to all sites that allow automatic core updates for security patches, which is the default behavior.

Sites on read-only filesystems as well as sites that have explicitly disabled automatic core updates via setting define( 'WP_AUTO_UPDATE_CORE', false ); in wp-config.php may not yet have updated, and we urge owners of these sites to do so as soon as possible.

Vulnerability Analysis

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain secure. Wordfence protects against all vulnerabilities addressed in this release of WordPress core, and as an additional precaution we have released a new firewall rule to protect against the cross site scripting vulnerability that was fixed in this release. This rule has been deployed to Wordfence Premium users.

Even if you are running Wordfence Premium, we encourage you to update WordPress core on all your sites at your earliest convenience, if you have not already been automatically updated.


Description: SQL Injection via WP_Query
Affected Versions: WordPress Core < 5.8.3
CVE ID: 2022-21661
CVSS Score: 8.0 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 5.8.3
Researcher/s: ngocnb and khuyenn from GiaoHangTietKiem JSC

This vulnerability is not exploitable directly via WordPress core, but some plugins and themes may use WP_Query in a way that allows SQL injection. The Wordfence firewall’s built-in SQL injection blocks attempts to exploit this vulnerability.


Description: Author+ Stored XSS via Post Slugs
Affected Versions: WordPress Core < 5.8.3
CVE ID: 2022-21662
CVSS Score: 8.0 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Fully Patched Version: 5.8.3
Researcher/s: Karim El Ouerghemmi and Simon Scannell of SonarSource

As with most XSS vulnerabilities, this vulnerability could be used to completely take over a site, or to add a malicious backdoor. However, it can only be exploited by users with the ability to publish posts.

This vulnerability allows Authors and WooCommerce Shop Owner to add scripts to a site, but both roles are relatively trusted.

Contributors or most other custom roles are not able to exploit the vulnerability, and it does not meaningfully increase the attack surface on a site with only Administrator or Editor users, as both already have the unfiltered_html capability and can add JavaScript to posts.

Nonetheless, the Wordfence Threat Intelligence team has released a firewall rule protecting against this exploit to our Premium users. This firewall rule will become available to free Wordfence users after 30 days, on February 7, 2022.


Description: Blind SQL Injection via WP_Meta_Query
Affected Versions: WordPress Core 4.1 – 5.8.2
CVE ID: 2022-21664
CVSS Score: 7.4 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Fully Patched Version: 5.8.3
Researcher/s: Ben Bidner from the WordPress security team

As with the SQL Injection via WP_Query, the Wordfence firewall’s built-in SQL injection protection blocks attempts to exploit this vulnerability.


Description: Super Admin Object Injection in Multisites
Affected Versions: WordPress Core < 5.8.3
CVE ID: 2022-21663
CVSS Score: 6.6 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 5.8.3
Researcher/s: Simon Scannell of SonarSource

This issue requires Super Administrator privileges to exploit, and only Multisite WordPress sites are vulnerable. Because this is only exploitable by the website super admin, which is the root user of a Multisite installation, we don’t currently consider this a vulnerability for practical purposes. This issue would only impact sites that are extremely locked down, where even Super Administrators are not allowed to execute arbitrary code, which is extremely rare. As with all Object Injection vulnerabilities, it would also require the presence of a separate POP chain in order to exploit. While the impact of an Object Injection vulnerability can be critical, this issue, in our view, impacts very few sites because the configuration that makes it exploitable is extremely rare.

Conclusion

In today’s article, we covered four vulnerabilities patched in the WordPress 5.8.3 security release. The vast majority of actively used WordPress sites have already been patched via automatic updates, and any sites that remain vulnerable would only be exploitable under very specific circumstances. The Wordfence firewall provides protection against these vulnerabilities.

Despite this, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 3.7, an update is available to patch these vulnerabilities while keeping you on the same major version, so you should not have to worry about compatibility issues.

This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.

Did you enjoy this post? Share it!

Comments

5 Comments
  • thanks for your help,i am
    very grateful for your plugin

  • Is the tool free?

    • Hi kaled

      A free version of Wordfence is available at https://wordpress.org/plugins/wordfence/ which should provide SQL injection protection. The XSS rule we deployed will be made available to free users 30 days after it was deployed, on February 7, 2021

  • I'd love it if the automatic updates were a bit more reliable. 40% of the sites I look after that had automatic updates enabled, failed and didn't update. With an update like this, that unfortunately meant a lot of manual updating on Saturday!

    • Hi Simon,

      This is somewhat troubling and may indicate an issue with your hosting provider, though it's possible the mass-update may have strained some hosting providers' infrastructure. Still, the good news is that these required either a trusted user or very specific circumstances to exploit, so you should be ok since you managed to update.