ADVISORY: Update WordPress to address security vulnerabilities

WordPress versions 3.7-5.8 are affected by multiple vulnerabilities that an attacker could exploit to take control of an affected website. These vulnerabilities are fixed with WordPress 5.8.3 Security Release.

Four security flaws in the core codebase of WordPress include:

• SQL injection due to lack of data sanitization in WP_Meta_Query

• Authenticated Object Injection in Multisites

• Stored Cross Site Scripting (XSS) through authenticated users

• SQL Injection through WP_Query due to improper sanitization

WordPress 3.7-5.8

Upgrade to WordPress 5.8.3 as soon as possible after appropriate testing. See WordPress 5.8.3 Security Release for details.

An attacker could potentially exploit the vulnerabilities to perform XSS and SQL injection against a vulnerable website.

• IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems.

• IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.

• IA provides vulnerability management guidance to the university.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Please contact ITS Information Assurance through the ITS Service Center.

• WordPress 5.8.3 Security Release, WordPress, 1/6/22 

• WordPress Releases Security Update, Cybersecurity and Infrastructure Security Agency, 1/7/22

• WordPress Core Vulnerabilities Hits Millions of Sites, Search Engine Journal, 1/6/22

• Technical Advisory: WordPress Core 5.8.3 Security Update, Patchstack, 1/7/22