The information below was sent to U-M IT groups on January 10, 2022. It is intended for U-M IT staff who are responsible for university websites that use WordPress.
Summary
WordPress versions 3.7-5.8 are affected by multiple vulnerabilities that an attacker could exploit to take control of an affected website. These vulnerabilities are fixed with WordPress 5.8.3 Security Release.
Problem
Four security flaws in the core codebase of WordPress include:
-
SQL injection due to lack of data sanitization in WP_Meta_Query
-
Authenticated Object Injection in Multisites
-
Stored Cross Site Scripting (XSS) through authenticated users
-
SQL Injection through WP_Query due to improper sanitization
Affected Versions
WordPress 3.7-5.8
Action Items
Upgrade to WordPress 5.8.3 as soon as possible after appropriate testing. See WordPress 5.8.3 Security Release for details.
Threats
An attacker could potentially exploit the vulnerabilities to perform XSS and SQL injection against a vulnerable website.
How We Protect U-M
-
IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems.
-
IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
-
IA provides vulnerability management guidance to the university.
Information for Users
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
References
-
WordPress 5.8.3 Security Release, WordPress, 1/6/22
-
WordPress Releases Security Update, Cybersecurity and Infrastructure Security Agency, 1/7/22
-
WordPress Core Vulnerabilities Hits Millions of Sites, Search Engine Journal, 1/6/22
-
Technical Advisory: WordPress Core 5.8.3 Security Update, Patchstack, 1/7/22