WordPress has announced a security and maintenance release, version 5.8.1. Updating WordPress, particularly versions 5.4 to 5.8, is crucial to address three security issues.
WordPress 5.8.1 Security and Maintenance Release
It’s not uncommon for WordPress or any software to publish a bug fix update following a major version release to address unforeseen issues and introduce improvements that didn’t make it into the major release.
In WordPress, these updates are referred to as a maintenance release.
This update also includes a security update, which is somewhat rare for the WordPress core. This makes the update more critical than the typical maintenance release.
WordPress Security Issues Fixed
WordPress 5.8.1 addresses three vulnerabilities:
- A data exposure vulnerability within the REST API
- Cross-Site Scripting (XSS) vulnerability in the Gutenberg block editor
- Multiple critical to high severity vulnerabilities in the Lodash JavaScript Library
All three vulnerabilities are significant enough that immediate updating of WordPress installations is recommended.
REST API Vulnerability
The WordPress REST API is an interface that allows plugins and themes to interact with the WordPress core.
The REST API has been a source of security vulnerabilities, including the recent Gutenberg Template Library & Redux Framework vulnerability that affected over a million websites.
This vulnerability is described as a data exposure vulnerability, meaning sensitive information could be revealed. There are currently no additional details on the type of information, but it could range from passwords to data that could be exploited to launch an attack through another vulnerability.
WordPress Gutenberg XSS Vulnerability
Cross-Site Scripting (XSS) vulnerabilities are relatively common. They can occur whenever there is user input, such as a contact or email form, that is not “sanitized” to prevent the upload of scripts that can trigger unwanted behavior in the WordPress installation.
The Open Web Application Security Project (OWASP) describes the potential harm of XSS vulnerabilities:
“An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted and will execute the script.
Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.”
This specific vulnerability impacts the Gutenberg block editor.
WordPress Lodash JavaScript Library Vulnerabilities
These vulnerabilities may be the most concerning. The Lodash JavaScript library is a set of scripts used by developers that have been found to contain multiple vulnerabilities.
The latest and safest version of Lodash is 4.17.21.
The U.S. Homeland Security-sponsored CVE List details the vulnerability:
“Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.”
There appear to be many other vulnerabilities affecting the Lodash library in the 4.1.7 branch as well.
WordPress Urges Immediate Updating
These security vulnerabilities add a sense of urgency to this update. WordPress strongly recommends that all publishers update.
The official WordPress announcement advocates updating:
“Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.4 have also been updated.”
References
WordPress 5.8.1 Security and Maintenance Release
CVE Lodash Vulnerability Description CVE-2021-23337
