The WordPress development team is out with a short-cycle security update in version 5.8.3. It fixes four flaws, three of which are categorized as critical. An SQL injection through WP_Query, a blind SQL injection via WP_Meta_Query, an XSS attack using post slugs, and an admin object injection are all included in the collection.
All flaws have conditions that must be met for them to be exploited, and most WordPress sites that employ the default automatic core updates configuration are unaffected. Sites running WordPress 5.8.2 or older, with read-only filesystems and automatic core updates disabled in wp-config.php, may be exposed to attacks exploiting the flaws.
These are the four weaknesses fixed by the current security update:
- CVE-2022-21661: High severity (CVSS score 8.0) SQL injection via WP_Query. Plugins and themes using WP-Query can take advantage of this issue. Fixes cover WordPress versions as old as 3.7.37.
- CVE-2022-21662: High severity (CVSS score 8.0) XSS vulnerability allowing authors (lower privilege users) to build a malicious backdoor or take control of a website by misusing post slugs. Fixes cover WordPress versions as old as 3.7.37.
- CVE-2022-21664: High severity (CVSS score 7.4) SQL injection through the WP_Meta_Query core class. Fixes cover WordPress versions as old as 4.1.34.
- CVE-2022-21663: Medium severity (CVSS score 6.6) object injection problem that can only be exploited if a threat actor has hacked the admin account. Fixes cover WordPress versions as old as 3.7.37.
There have been no reports of any of the issues mentioned above being actively exploited in the wild, and none of them are considered to have a significant impact on most WordPress sites. Nonetheless, all WordPress site owners should upgrade to version 5.8.3, check their firewall setup, and ensure WP core updates are turned on.
This can be found in the wp-config.php ‘define’ parameter, which should be “define(‘WP_AUTO_UPDATE_CORE’, true);” Automated core updates were first implemented in WordPress 3.7 in 2013, and as per official statistics, just 0.7% of all WordPress sites are still on an earlier version.