WordPress introduces an emergency patch for four serious vulnerabilities. WordPress 5.8.3 is available immediately.
WP_Meta_Query and WP_Query, two crucial and widely used classes in the content management system, were found to be vulnerable to SQL injection attacks. XSS attacks were made possible by post slugs (the unique name of pages in URLs). Some WordPress multisites were also prone to PHP object injection. The latter creates a risk of remote code execution (RCE).
WordPress 5.8.3 fixes these vulnerabilities. Patching is the urgent advice. According to the US National Vulnerability Database, the vulnerabilities are critical.
Tip: Log4Shell – unprecedented impact, hard lessons for software developers
Cause
At the end of 2021, WordPress developers faced a heavy workload. The team hoped to release the platform’s next major release (5.9) in December 2021. The plan turned out to be unrealistic. 5.9 has been postponed to January 25, 2022.
Addison Stavlo, one of the developers of the open-source platform, described the 5.9 development process as “red flag” and “dangerously rushed”. Search Engine Journal, an online medium, speculates that the vulnerabilities could have been prevented with more space and attention to security. That has a core of value, but work pressure is temporary. The vulnerabilities have been around since 2013.
