A critical vulnerability in WordPress has been addressed with a recent patch. Despite the critical label, one security researcher believes the chances of this vulnerability being exploited are low.
The patch is for WordPress version 5.7.2. Sites set to automatically download updates should receive this patch without any further action required by site administrators.
It is advised that publishers verify their WordPress version to confirm they are using the latest version 5.7.2.
Object Injection Vulnerability
The identified vulnerability pertains to an Object Injection in PHPMailer.
According to the Owasp.org security website, a PHP Object Injection vulnerability is defined as:
"PHP Object Injection is an application-level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal, and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in arbitrary PHP object(s) injection into the application scope."
WordPress Vulnerability Rated as Critical
This vulnerability is nearly at the highest risk rating, scoring 9.8 out of 10 using the Common Vulnerability Scoring System (CVSS).
Details published by the Patchstack security site note:
"Details
Object injection in PHPMailer vulnerability discovered in WordPress (one security issue affecting WordPress versions between 3.7 and 5.7).""SOLUTION
Update to the latest available WordPress version (at least 5.7.2). All WordPress versions since 3.7 have also been updated to fix this security issue."
The official WordPress announcement for version 5.7.2 stated:
"One security issue affects WordPress versions between 3.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the following security issues: Object injection in PHPMailer."
The U.S. Government National Vulnerability Database described the issue as:
"PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation."
Wordfence: No Need to Panic
Security researchers at Wordfence have stated there’s no need to panic. They believe the likelihood of an exploit occurring from this vulnerability is low.
"In our assessment, successfully exploiting this vulnerability would require a large number of factors to align, including the presence of an additional vulnerability in a plugin or other component installed on the site as well as a vulnerable magic method. We are also currently unaware of any plugins that could be used to exploit this vulnerability, even by a site administrator. This is unlikely to be used as an intrusion vector, although it could be leveraged by attackers who have already gained some access to escalate their privileges."
Update WordPress Immediately
Publishers using WordPress should check if their installation is the latest version, 5.7.2. Given the critical vulnerability rating, failing to update to version 5.7.2 could leave a site exposed to potential hacking.
Citation
WordPress Announcement of Version 5.7.2
Wordfence Analysis:
WordPress 5.7.2 Security Release: What You Need to Know
