Quartet of software flaws addressed ahead of next major release of popular CMS
The developers of WordPress have pushed out a security-focused update that addresses four significant security flaws in the content management software.
More specifically WordPress 5.8.3 patches cross site scripting (XSS) and SQL injection vulnerabilities that affect WordPress versions between 3.7 and 5.8.
First up, there's a fix for a stored XSS through post slugs vulnerability that was discovered by Karim El Ouerghemmi and Simon Scannell of SonarSource.
El Ouerghemmi told The Daily Swig: “We discovered and reported a stored XSS vulnerability in WordPress that could allow an authenticated attacker to inject a JavaScript payload into post slugs.
Catch up with the latest WordPress-related security news and analysis
“This payload would then infect in the administration dashboard, and ultimately, could be used to hijack administrator accounts and to compromise the installation.”
El Ouerghemmi continued: “We reported the vulnerability more than three years ago, and we are happy to see it's finally patched.”
SonarSource plans to release the technical details of this vulnerability in a blog post next Tuesday (January 11) along with details on how this could have been exploited without any user privileges when an older version of the widely used plugin is installed.
Simon Scannell, also from SonarSource, separately reported an issue with “object injection in some multisite installations” that's also patched with the WordPress 5.8.3 release.
The same update tackles an SQL injection vulnerability in WP_Query discovered by ngocnb and khuyenn from GiaoHangTietKiem JSC and reported through Trend Micro's Zero Day Imitative (ZDI) programme.
The Daily Swig approached the ZDI for comment. No word back as yet, but we'll update this story as and when more information comes to hand.
WordPress 5.8.3 is a security patch-focused interim release of the CMS that omits any new features or functionality.
The first major core release of the year, WordPress 5.9, is scheduled to launch on January 25.
YOU MAY ALSO LIKE Java RMI services often vulnerable to SSRF attacks - research