The information below was sent to U-M IT groups on September 10, 2021. It is intended for U-M IT staff who are responsible for university websites that use WordPress.
Summary
WordPress 5.4-5.8 are affected by multiple vulnerabilities that an attacker could exploit to take control of an affected website. These vulnerabilities are fixed with WordPress 5.8.1 Security and Maintenance Release.
Problem
Three security flaws in the core codebase of WordPress include:
-
Data exposure vulnerability within the REST API, an interface that allows plugins and themes to interact with WordPress core.
-
Cross-site scripting (XSS) vulnerability in the Gutenberg block editor.
-
Multiple vulnerabilities in the Lodash JavaScript Library that are rated critical to high severity.
Affected Versions
WordPress 5.4-5.8
Action Items
Upgrade to WordPress 5.8.1 as soon as possible after appropriate testing. See WordPress 5.8.1 Security and Maintenance Release for details.
Threats
An attacker could exploit the vulnerabilities to take control of an affected website.
How We Protect U-M
-
IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems.
-
IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
-
IA provides vulnerability management guidance to the university.
Information for Users
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
-
WordPress 5.8.1 Security and Maintenance Release, WordPress, 9/9/21
-
WordPress Releases Security Update, Cybersecurity and Infrastructure Security Agency, 9/10/21
-
WordPress 5.8.1 security release addresses trio of vulnerabilities, The Daily Swig, 9/2021
-
WordPress 5.8.1 Released to Fix Multiple Vulnerabilities, Search Engine Journal, 9/9/21