WordPress announced it has patched four vulnerabilities that are rated as high as 8 on a scale of 1 to 10. The vulnerabilities are in the WordPress core itself and are due to flaws introduced by the WordPress development team itself.
Four WordPress Vulnerabilities
The WordPress announcement was short of details of how severe the vulnerabilities were and the details were scant.
However the United States Government National Vulnerability Database where vulnerabilities are logged and publicized rated the vulnerabilities as high as 8.0 on a scale of 1 to 10, with ten representing the highest danger level.
The four vulnerabilities are:
- SQL injection due to lack of data sanitization in WP_Meta_Query (severity level rated high, 7.4)
- Authenticated Object Injection in Multisites (severity level rated medium 6.6)
- Stored Cross Site Scripting (XSS) through authenticated users (severity level rated high, 8.0)
- SQL Injection through WP_Query due to improper sanitization (severity level rated high, 8.0)
Three out of four of the vulnerabilities were discovered by security researchers outside of WordPress. WordPress had no idea until they were notified.
The vulnerabilities were privately disclosed to WordPress, which allowed WordPress to fix the problems before they became widely known.
WordPress Development Rushed in a Dangerous Way?
WordPress development slowed down in 2021 because they were unable to finish work on the latest release, 5.9, which saw that version of WordPress pushed back to later in 2022.
There has been talk within WordPress of slowing down the pace of development because of concern for the ability to keep up.
The WordPress core developers themselves raised the alarm in late 2021 about the pace of development, pleading for more time.
One of the developers warned:
“Overall, it seems like right now we are rushing things in a dangerous way.”
Given how WordPress cannot keep to its own release schedule and is discussing scaling back their 2022 release calendar from four releases to three, one has to question the pace of WordPress development and whether more effort should be made to assure that vulnerabilities are not inadvertently released to the public.
Data Sanitization Problems in WordPress
Data sanitization is way to control what kind of information gets through inputs and into the database. The database is what holds information about the site, including passwords, usernames, user information, content and other information that is necessary for the site to function.
WordPress documentation describes data sanitization:
“Sanitization is the process of cleaning or filtering your input data. Whether the data is from a user or an API or web service, you use sanitizing when you don’t know what to expect or you don’t want to be strict with data validation.”
The documentation states that WordPress provides built-in helper functions to protect against malicious inputs and that the use of these helper functions requires minimal effort.
WordPress anticipates sixteen kinds of input vulnerabilities and provides solutions to block them.
So it’s surprising that the input sanitization issues should still appear in the very core of WordPress itself.
There were two high level vulnerabilities related to improper sanitization:
- WordPress: SQL injection due to improper sanitization in WP_Meta_Query
Due to lack of proper sanitization in WP_Meta_Query, there’s potential for blind SQL Injection - WordPress: SQL Injection through WP_Query
Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way.
The other vulnerabilities are:
- WordPress: Authenticated Object Injection in Multisites
On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. - WordPress: Stored XSS through authenticated users
Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users.
WordPress Recommends Updating Right Away
Because the vulnerabilities are now in the open it is important that WordPress users make sure their WordPress installation is updated to the latest version, currently 5.8.3.
WordPress advised updating the installation immediately.
Citations
Read the Official WordPress Notice
WordPress 5.8.3 Security Release
National Vulnerability Database Reports
Authenticated Object Injection in Multisites
Stored XSS through authenticated users
Improper sanitization in WP_Query
SQL injection due to improper sanitization in WP_Meta_Query