WordPress 5.8.3, a security release that became available last week, patches four injection-related vulnerabilities.
Two of the flaws are SQL injections — one affects WP_Meta_Query (discovered by Ben Bidner of the WordPress security team) and one affects WP_Query (discovered by ngocnb and khuyenn of GiaoHangTietKiem JSC).
Simon Scannell of SonarSource reported an object injection issue affecting some multisite installations, as well as a stored cross-site scripting (XSS) bug. Karim El Ouerghemmi was also credited for the XSS vulnerability.
These vulnerabilities affect WordPress versions between 3.7 and 5.8.
Websites that support automatic updates may have already been updated. Other WordPress users have been advised to manually update from their Dashboard.
WordPress websites are highly targeted by malicious actors, although in most cases they target widely used themes and plugins that contain vulnerabilities.
The threat intelligence team at WordPress security firm Defiant warned in December that it had spotted a massive campaign in which 1.6 million WordPress sites had been the target of 13.7 million attack attempts coming from 16,000 IP addresses, all within a 36 hour timeframe. The attackers’ goal was to take control of vulnerable websites.
While in some cases attackers target zero-day flaws, in this case they had attempted to exploit known security holes affecting four plugins, including weaknesses patched months ago and ones that had been fixed only a few days before the attacks started.
Another major WordPress-related incident that came to light recently involved domain registrar and web hosting giant GoDaddy, which in November disclosed a data breach impacting 1.2 million Managed WordPress users.