WordPress revealed high-level vulnerabilities that were introduced internally by its core development team
WordPress reported that it had fixed four vulnerabilities that were rated as high at 8 on a scale from 1-10. These vulnerabilities exist in WordPress core and were introduced by WordPress developers.
Four WordPress Vulnerabilities
WordPress did not provide enough details about the severity of the vulnerabilities and was brief on details.
The vulnerability ratings were rated by the United States Government National Vulnerability Database, which logs vulnerabilities and makes them public.
These are the four vulnerabilities:
- SQL injection caused by a lack of data sanitization within WP_Meta_Query. (Severity Level rated high, 7.4)
- Multisite Authenticated Object Injection (severity rating medium 6.6).
- Stored Cross Site Scripting through authenticated users (severity rating high, 8.0).
- SQL Injection via WP_Query because of improper sanitization (severity rating high, 8.8)
Security researchers from outside WordPress discovered three of four vulnerabilities. WordPress was unaware of the vulnerability until they were notified.
WordPress was notified privately about the vulnerabilities, which enabled WordPress to address them before they were widely known.
WordPress Development Rejected in a Dangerous Way
WordPress development was slowed in 2021 due to inability to complete work on 5.9 which saw the WordPress version pushed back to 2022.
WordPress has spoken out about slowing down development to address concerns over the ability of the site to keep up.
In late 2021, WordPress core developers raised concerns about the speed of development and pleaded for more time.
One developer advised:
“Overall it seems that right now, we are rushing to things in a dangerous manner.”
WordPress is unable to keep up with its release schedule, and they are considering reducing their 2022 release date from four to three. This raises questions about the speed of WordPress development and whether it should make more efforts to ensure that no vulnerabilities are accidentally released to the general public.
Data Sanitization Issues in WordPress
Data sanitization allows you to control the information that is sent through the inputs to the database. The site’s database holds passwords, usernames, content, and any other information necessary to run the site.
WordPress documentation describes data sanitization:
“Sanitization refers to the process of filtering or cleaning your input data. You can use sanitizing regardless of whether the data comes from a user, an API, or web service.
documentation says that WordPress has built-in helper function to protect against malicious inputs. This means that it is easy to use these functions.
WordPress can anticipate sixteen types of input vulnerabilities and offers solutions to them.
It’s not surprising, then, that WordPress still has issues with input sanitization.
Two high-level vulnerabilities were related to insufficient sanitization.
- WordPress: SQL injection caused by improper WP_Meta_Query sanitization
Blind SQL Injection is possible due to a lack of WP_Meta_Query’s proper sanitization - WordPress: SQL Injection via WP_Query
WP_Query’s inept sanitization can lead to SQL injection through plugins and themes that use it in certain ways.
Other vulnerabilities:
- WordPress: Multisite Authenticated Object Injection
Users with the Super Admin role on a multisite can bypass explicit/additional harderening by object injection under certain conditions. - WordPress: Stored SQLS through authenticated users
Author and low-privileged authenticated WordPress users are able execute JavaScript/perform stored XSS attacks, which can impact high-privileged users.
WordPress recommends that you update right away
WordPress users should ensure that their WordPress installation is up-to-date to 5.8.3.