The WordPress team pushed the emergency security updates to fix the four critical vulnerabilities that are in the WordPress core itself. The vulnerabilities are rated as high as 8 on a scale of 1 to 10.
According to the stats, more than 30% of the internet's websites run on WordPress CMS i.e. approx 455 million. The stats for 2021 shows that
- 62% of the top 100 fastest-growing companies in the US (Inc. 5000) use WordPress.
- Over 500 new sites are created daily using the free version of WordPress.org
- Seventy million new blog posts pop up every month.
The four vulnerabilities are:
- SQL injection due to lack of data sanitization in WP_Meta_Query (severity level rated high, 7.4)
- Authenticated Object Injection in Multisites (severity level rated medium 6.6)
- Stored Cross-Site Scripting (XSS) through authenticated users (severity level rated high, 8.0)
- SQL Injection through WP_Query due to improper sanitization (severity level rated high, 8.0) [CVE-2022-21661]
Three of the four vulnerabilities were discovered by people outside of WordPress, who then notified them. There is no evidence that any of them were exploited in the wild.
Update on 4th December 2022
We have seen that the exploit code for the WordPress Core 5.8.2 - 'WP_Query' SQL Injection vulnerability has been released. Currently, the vulnerability is been identified as CVE-2022-21661, and the vulnerability allows remote attackers to disclose sensitive information on affected installations of WordPress Core.
A specific flaw exists within the WP_Query class, where the lack of proper validation of a user-supplied string before using it to construct SQL queries
A security vulnerability in WordPress was privately disclosed to the WordPress team, who could fix the issue before it became known to malicious actors.
Authentication is not required to exploit this vulnerability, as a result, an attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.
WordPress thanked the following researchers for privately disclosing the vulnerabilities, which gave the security team time to fix the vulnerabilities before WordPress sites could be attacked.
- Karim El Ouerghemmi and Simon Scannell of SonarSource discovered the stored XSS through post slugs.
- Simon Scannell of SonarSource again reported Object injection in some multisite installations.
- Ngocnb and Khuyenn from GiaoHangTietKiem JSC working with Trend Micro Zero Day Initiative reported a SQL injection vulnerability in WP_Query.
- Ben Bidner from the WordPress security team discovered a SQL injection vulnerability in WP_Meta_Query (only relevant to versions 4.1-5.8).
Update Your WordPress Now
Because the vulnerabilities are now in the open WordPress users must make sure their WordPress installation is updated to the latest version, currently 5.8.3.
You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your Dashboard → Updates and clicking Update Now.