Advertisement
Web DevelopmentWordPress

WordPress Core Vulnerabilities Hits Millions of Sites

WordPress disclosed high-threat vulnerabilities introduced by the core development team itself.

Photo of seoadmin seoadmin Send an email January 7, 2022
2 1,861 3 minutes read
WordPress Core Vulnerabilities Hits Millions of Sites

WordPress has announced the patching of four vulnerabilities rated as high as 8 on a scale of 1 to 10. The flaws in the WordPress core are the result of flaws introduced by the WordPress development team itself.

Four WordPress Vulnerabilities

The WordPress announcement was short on details about how serious the vulnerabilities were, and the details that were provided were scant.

However, the vulnerabilities were rated as high as 8.0 on a scale of 1 to 10, with ten representing the highest danger level, by the United States Government National Vulnerability Database, where vulnerabilities are logged and publicized.

The four vulnerabilities are as follows:

  • SQL injection as a result of insufficient data sanitization in WP Meta Query (severity level rated high, 7.4)
  • Authenticated Object Injection in Multisite Environments (severity level rated medium 6.6)
  • Cross Site Scripting (XSS) exploited by authenticated users (severity level rated high, 8.0)
  • SQL injection via WP Query due to insufficient sanitization (severity level rated high, 8.0)

Three of the four vulnerabilities were discovered by security researchers who were not affiliated with WordPress. WordPress was unaware of the situation until they were notified.

The vulnerabilities were privately disclosed to WordPress, allowing the company to address the issues before they became widely known.

WordPress Development Rushed in a Dangerous Way?

WordPress development slowed in 2021 due to an inability to complete work on the most recent release, 5.9, which resulted in that version of WordPress being pushed back to later in 2022.

There has been discussion within WordPress about slowing down the rate of development due to concerns about the ability to keep up.

The WordPress core developers themselves raised the alarm about the pace of development in late 2021, pleading for more time.

One of the developers issued the following warning:

“Overall, it seems like right now we are rushing things in a dangerous way.”

Given that WordPress is unable to adhere to its own release schedule and is considering reducing its 2022 release calendar from four to three, one must question the pace of WordPress development and whether more effort should be made to ensure that vulnerabilities are not inadvertently released to the public.

Read What Are the Most Common Reasons for Data Breach?

Problems with Data Sanitization in WordPress

Data sanitization is a method of controlling what type of information passes through inputs and into the database. The database is where information about the site is stored, such as passwords, usernames, user information, content, and other information required for the site to function.

The following is how the WordPress documentation describes data sanitization:

“Sanitization is the process of cleaning or filtering your input data. Whether the data is from a user or an API or web service, you use sanitizing when you don’t know what to expect or you don’t want to be strict with data validation.”

According to the documentation, WordPress includes built-in helper functions to protect against malicious inputs, and that using these helper functions requires little effort.

WordPress foresees sixteen types of input vulnerabilities and provides solutions to mitigate them.

So it’s surprising that the input sanitization issues are still present in the core of WordPress.

Due to improper sanitization, there were two high-level vulnerabilities:

  • SQL injection in WordPress as a result of improper sanitization in WP Meta Query
  • Blind SQL Injection is possible due to a lack of proper sanitization in WP Meta Query.
  • SQL Injection via WP Query in WordPress
  • Due to improper sanitization in WP Query, SQL injection may be possible through plugins or themes that use it in a specific way.

Other flaws are as follows:

  • Authenticated Object Injection in WordPress Multisites
  • Under certain conditions, users with the Super Admin role on a multisite can bypass explicit/additional hardening via object injection.
  • WordPress: XSS stored by authenticated users
  • In WordPress core, low-privileged authenticated users (such as author) can execute JavaScript/perform a stored XSS attack, which can affect high-privileged users.

WordPress Recommends Updating Right Away

Because the vulnerabilities are now public, WordPress users must ensure that their installation is up to date to the latest version, which is currently 5.8.3.

WordPress recommended that the installation be updated as soon as possible.

Need help with our free SEO tools? Try our free Robots.txt GeneratorGet Source Code of WebpageDomain into IP.

Read What You Should Know About Keyword Prominence As A Ranking Factor In Google.

Photo of seoadmin seoadmin Send an email January 7, 2022
2 1,861 3 minutes read
Photo of seoadmin

seoadmin

Related Articles

Qualities of a Good Web Host

 Qualities of a Good Web Host

March 25, 2022
The WordPress Cache Plugin Exploit Affects Over a Million Websites

The WordPress Cache Plugin Exploit Affects Over a Million Websites

October 23, 2021
WordPress Template Plugin Vulnerability Affects Over One Million Websites

WordPress Template Plugin Vulnerability Affects Over One Million Websites

November 15, 2021
IndexNow is integrated by Rank Math for WordPress sites

IndexNow is integrated by Rank Math for WordPress sites

February 26, 2022
AI File Converter
×
© Copyright 2026, All Rights Reserved  |  SEOPolarity.com | Proudly Hosted by Polarity Hosting
Back to top button

Adblock Detected

Don't miss the best oppertunities.