Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

WordPress 5.8.3 Patches Several Injection Vulnerabilities

WordPress 5.8.3, a security release that became available last week, patches four injection-related vulnerabilities.

Two of the flaws are SQL injections — one affects WP_Meta_Query (discovered by Ben Bidner of the WordPress security team) and one affects WP_Query (discovered by ngocnb and khuyenn of GiaoHangTietKiem JSC).

WordPress 5.8.3, a security release that became available last week, patches four injection-related vulnerabilities.

Two of the flaws are SQL injections — one affects WP_Meta_Query (discovered by Ben Bidner of the WordPress security team) and one affects WP_Query (discovered by ngocnb and khuyenn of GiaoHangTietKiem JSC).

Simon Scannell of SonarSource reported an object injection issue affecting some multisite installations, as well as a stored cross-site scripting (XSS) bug. Karim El Ouerghemmi was also credited for the XSS vulnerability.

These vulnerabilities affect WordPress versions between 3.7 and 5.8.

Websites that support automatic updates may have already been updated. Other WordPress users have been advised to manually update from their Dashboard.

WordPress websites are highly targeted by malicious actors, although in most cases they target widely used themes and plugins that contain vulnerabilities.

The threat intelligence team at WordPress security firm Defiant warned in December that it had spotted a massive campaign in which 1.6 million WordPress sites had been the target of 13.7 million attack attempts coming from 16,000 IP addresses, all within a 36 hour timeframe. The attackers’ goal was to take control of vulnerable websites.

While in some cases attackers target zero-day flaws, in this case they had attempted to exploit known security holes affecting four plugins, including weaknesses patched months ago and ones that had been fixed only a few days before the attacks started.

Another major WordPress-related incident that came to light recently involved domain registrar and web hosting giant GoDaddy, which in November disclosed a data breach impacting 1.2 million Managed WordPress users.

Related: Critical Flaw in WordPress Plugin Leads to Database Wipe

Related: GoDaddy Says Several Brands Hit by Recent WordPress Hosting Breach

Related: WordPress 5.8.1 Patches Several Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.