WordPress disclosed high-threat vulnerabilities introduced by the core development team itself.
WordPress has patched four vulnerabilities that have been rated as high as 8 on a scale of 1 to 10. The WordPress core issues are due to defects introduced by the WordPress development team.
4 WordPress Vulnerabilities
The WordPress release was light on data concerning the severity of the flaws, and the information that was provided was sparse.
However, the vulnerabilities were rated as high as 8.0 on a scale of 1 to 10, with ten representing the highest danger level, by the United States Government National Vulnerability Database, where vulnerabilities are logged and publicized.
The four vulnerabilities are as follows:
- SQL injection as a result of insufficient data sanitization in WP Meta Query (severity level rated high, 7.4)
- Authenticated Object Injection in Multisite Environments (severity level rated medium 6.6)
- Cross-Site Scripting (XSS) exploited by authenticated users (severity level rated high, 8.0)
- SQL injection via WP Query due to insufficient sanitization (severity level rated high, 8.0)
Three of the four vulnerabilities were discovered by security researchers who were not affiliated with WordPress. WordPress was unaware of the situation until they were notified.
The vulnerabilities were privately disclosed to WordPress, allowing the company to address the issues before they became widely known.
Is WordPress Development Being Hurried in a Dangerous Way?
WordPress development slowed in 2021 due to an inability to complete work on the most recent release, 5.9, which resulted in that version of WordPress being pushed back to later in 2022.
There has been discussion within WordPress about slowing down the rate of development due to concerns about the ability to keep up.
The WordPress core developers themselves raised the alarm about the pace of development in late 2021, pleading for more time.
One of the developers issued the following warning:
“Overall, it appears that we are rushing things in a risky manner right now.”
Given that WordPress is unable to adhere to its own release schedule and is considering reducing its 2022 release calendar from four to three, one must question the pace of WordPress development and whether more effort should be made to ensure that vulnerabilities are not inadvertently released to the public.
WordPress Data Sanitization Issues
Data sanitization is a method of controlling the type of information that enters the database through inputs. The database is where information about the site is stored, such as passwords, usernames, user information, content, and other information required for the site to function.
Documentation for WordPress describes data sanitization as follows:
“The process of cleaning or filtering your input data is known as sanitization.” You use sanitizing when you don’t know what to expect from a user, an API, or a web service, or when you don’t want to be strict with data validation.”
According to the documentation, WordPress includes built-in helper functions to protect against malicious inputs and that using these helper functions requires little effort.
WordPress foresees sixteen types of input vulnerabilities and provides solutions to mitigate them.
So it’s surprising that the input sanitization issues are still present in the core of WordPress.
Due to improper sanitization, there were two high-level vulnerabilities:
Due to improper sanitization, there were two high-level vulnerabilities:
- SQL injection in WordPress as a result of improper sanitization in WP Meta Query Blind SQL Injection is possible due to a lack of proper sanitization in WP Meta Query.
- SQL Injection via WP Query in WordPress
Due to improper sanitization in WP Query, SQL injection may be possible through plugins or themes that use it in a specific way.
Other flaws are as follows:
- Authenticated Object Injection in WordPress Multisites
Users with the Super Admin position on a multisite can use object injection to bypass explicit/additional hardening under certain circumstances. - WordPress: XSS stored by authenticated users
Low-privileged authenticated users (such as the author) can execute JavaScript/perform a stored XSS attack against high-privileged users in WordPress core.
WordPress Recommends Immediate Update
Because the vulnerabilities are now public, WordPress users must ensure that their installation is up to date to the latest version, which is currently 5.8.3.
WordPress recommended that the installation be updated as soon as possible.