While we are nearing the next major release i.e: WordPress 5.9, the WordPress development team has rolled out a WordPress 5.8.3 security update that addresses four vulnerabilities including three high severity security vulnerabilities.
WordPress says most of the WordPress websites that use the default automatic core updates aren’t vulnerable.
However, if your website is running on WordPress 5.8.2 or older, and disabled the automatic core updates in wp-config.php then your website could be vulnerable to the four identified flaws.
Below are four security vulnerabilities fixed with the 5.8.3 security update:
- CVE-2022-21661: With a CVSS score 8.0 (High Severity), SQL injection vulnerability in WP_Query. This vulnerability can be exploited through plugins and themes using WP-Query. The update fixes vulnerabilities for WordPress versions 5.8.3 down to 3.7.37.
- CVE-2022-21662: High Severity with a CVSS score of 8.0, XSS vulnerability allows authors to take control over website by exploting post slugs. Fixes covers WordPress versions 5.8.3 down to 3.7.37.
- CVE-2022-21663: CVSS score 6.6 (Medium Severity), object injection issue can be exploited if threat actor obtains illegitimate access to the administrator account. Fixes covers WordPress versions 5.8.3 down to 4.1.34.
- CVE-2022-21664: High Severity with a CVSS score 7.4, SQL injection via WP_Meta_Query core class. Fixes covers WordPress versions 5.8.3 down to 3.7.37.
Meanwhile, there are no reports at the time of writing that these flaws have been exploited in the wild.
However, we suggest that WordPress website owners upgrade to version 5.8.3, review their firewall configuration and make sure that the WP core updates are enabled within the wp-config.php file.
In the wp-config.php, look for the ‘define’ parameter and set it as follows;
define('WP_AUTO_UPDATE_CORE', true );Are you looking for more security updates? Subscribe to our Newsletter for the latest security news updates.
