January 6, 2022, WordPress released version WordPress 5.8.3 to fix some serious security errors.
In this update will fix 4 critical vulnerabilities, with support for all versions of WordPress from version 3.7.
You can rest assured that from WordPress 3.7 onwards security-related updates will be automatically updated to reduce the risk of being exploited by hackers.
So most WordPress sites will not be in danger in this case, except for a few that have disabled the feature auto update core.
So if you are turning off this feature, you can turn it on by deleting the paragraph:
define( 'WP_AUTO_UPDATE_CORE', false )
in the wp-config.php file.
Table of Contents
Information about security holes
According to the information I consulted from wordfence The details of the security holes are analyzed by their team of experts as follows:
Description: SQL Injection via WP_Query
Affected Versions: WordPress Core < 5.8.3
CVE ID: 2022-21661
CVSS Score: 8.0 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 5.8.3
Researcher/s: ngocnb and advice from GiaoHangTietKiem JSC
This vulnerability cannot be exploited directly through the WordPress core, but some plugins and themes can use WP_Query in a way that allows SQL injection.
Description: Author+ Stored XSS via Post Slugs
Affected Versions: WordPress Core < 5.8.3
CVE ID: 2022-21662
CVSS Score: 8.0 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Fully Patched Version: 5.8.3
Researcher/s: Karim El Ouerghemmi and Simon Scannell of SonarSource
As with most XSS vulnerabilities, this will help hackers take control of your entire website or add backdoors. But it is only mineable with users who have publish post permission.
This vulnerability allows users like Authors and WooCommerce Shop Owner add scripts to the site.
Description: Blind SQL Injection via WP_Meta_Query
Affected Versions: WordPress Core 4.1 – 5.8.2
CVE ID: 2022-21664
CVSS Score: 7.4 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Fully Patched Version: 5.8.3
Researcher/s: Ben Bidner from the WordPress security team
Continued a security vulnerability related to SQL Injection via WP_Query.
Description: Super Admin Object Injection in Multisites
Affected Versions: WordPress Core < 5.8.3
CVE ID: 2022-21663
CVSS Score: 6.6 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 5.8.3
Researcher/s: Simon Scannell of SonarSource
This vulnerability is a bit unlikely as it requires special Super Admin privileges to exploit and only affects Multisite WordPress.
Because of its special nature, this vulnerability is not considered too dangerous, so you can rest assured.
Summary
WordPress is still the most used CMS today, and is also very vulnerable to hackers exploiting security holes.
Therefore, to ensure your safety, you should take measures to strengthen the security of the website.
And remember to make a full backup.
