WordPress has announced the patching of four high-severity vulnerabilities, some rated as high as 8 out of 10. These vulnerabilities originate within the WordPress core itself, stemming from flaws introduced by the WordPress development team.
Four WordPress Vulnerabilities
The announcement from WordPress was sparse on details concerning the severity of these vulnerabilities. However, the United States Government’s National Vulnerability Database, which catalogs and publicizes such vulnerabilities, rated them up to an 8.0 on a scale of 1 to 10, with 10 representing the highest level of danger.
The four vulnerabilities are:
- SQL Injection in WP_Meta_Query due to lack of data sanitization (severity level rated high, 7.4)
- Authenticated Object Injection in Multisites (severity level rated medium, 6.6)
- Stored Cross-Site Scripting (XSS) through authenticated users (severity level rated high, 8.0)
- SQL Injection through WP_Query due to improper sanitization (severity level rated high, 8.0)
Three of these four vulnerabilities were discovered by security researchers external to WordPress, with WordPress only becoming aware after being notified. These issues were privately disclosed to WordPress, allowing them to address the problems before they became widely known.
WordPress Development Rushed in a Dangerous Way?
The pace of WordPress development slowed down in 2021 as they struggled to complete work on their latest release, 5.9, which was postponed to later in 2022. Amid these challenges, there has been ongoing discussion within WordPress about slowing the development pace due to concerns about keeping up safely.
In late 2021, core developers raised alarms about the rapid pace, requesting more time. One developer warned:
“Overall, it seems like right now we are rushing things in a dangerous way.”
Considering WordPress’s difficulty adhering to its own release schedule and the possibility of scaling back the 2022 release calendar from four releases to three, the pace of development and efforts to prevent inadvertently released vulnerabilities warrant scrutiny.
Data Sanitization Problems in WordPress
Data sanitization controls the type of information that can pass through inputs into the database, which houses crucial site information like passwords, usernames, user information, and content.
WordPress documentation describes data sanitization as:
“Sanitization is the process of cleaning or filtering your input data. Whether the data is from a user or an API or web service, you use sanitizing when you don’t know what to expect or you don’t want to be strict with data validation.”
The documentation mentions that WordPress provides built-in helper functions to protect against malicious inputs with minimal effort required from developers. Despite these measures, issues related to improper sanitization still appeared in the WordPress core.
Two high-level vulnerabilities related to improper sanitization include:
- SQL Injection in WP_Meta_Query: Lacks proper sanitization, leading to potential for blind SQL Injection.
- SQL Injection through WP_Query: Improper sanitization can enable SQL injection via certain uses in plugins or themes.
The other vulnerabilities are:
- Authenticated Object Injection in Multisites: Super Admin role in multisite setups can bypass additional hardening under certain conditions through object injection.
- Stored XSS through authenticated users: Low-privileged authenticated users can execute JavaScript or perform a stored XSS attack affecting high-privileged users.
WordPress Recommends Updating Right Away
Since these vulnerabilities are now public knowledge, WordPress users should ensure their installations are updated to the latest version, currently 5.8.3. WordPress has strongly advised updating immediately.
Citations
Read the official WordPress notice:
- WordPress 5.8.3 Security Release
National Vulnerability Database Reports:
- Authenticated Object Injection in Multisites
- Stored XSS through authenticated users
- Improper sanitization in WP_Query
- SQL injection due to improper sanitization in WP_Meta_Query
