In a recent announcement, WordPress claimed to have patched four different core vulnerabilities. These core vulnerabilities were created because of flaws introduced by the development team at WordPress. Here is some more information about these vulnerabilities.
What are the Four WordPress Vulnerabilities Mentioned in This Announcement?
The WordPress announcement previously mentioned was not very detailed regarding what core vulnerabilities were discovered. However, the governmental agency in charge of logging and publicizing online security vulnerabilities rated these problems as high as an eight on a scale from one to ten. This agency, known as the United States Government National Vulnerability Database, was created in 2005 to monitor severe online security threats.
The four WordPress vulnerabilities previously mentioned are:
- SQL injection via WP_Query caused by improper sanitation (Level 8 security threat)
- SQL injection in WP_Meta_Query caused by a lack of data sanitization (Level 7.4 security threat)
- Stored cross-site scripting via authenticated users (Level 6.6 security threat)
- Authenticate object injection via Multisites (Level 6.6 security threat)
Security researchers who WordPress didn’t employ discovered three of these four security threats. The team at WordPress was completely unaware of these threats until these independent researchers notified them. Once the WordPress team received this information, they started the process of fixing these security vulnerabilities before they were widely publicized.
Was Rushed Update Development To Blame For These Security Issues?
In 2021, the development of WordPress updates slowed down significantly. In fact, the developers had to delay the 5.9 update to late 2022 due to development issues. Many core developers raised concerns about the pace of update development and how that could affect core security.
Many development professionals are placing blame for these security vulnerabilities solely on the unrealistic WordPress update calendar. Typically, there are around four WordPress updates a year. However, this has been reduced to three in 2022 on the heels of the news about these core vulnerabilities.
Many experts in the world of online security suggest that WordPress should focus on releasing fewer updates so they can focus on quality over quantity. These experts believe that few updates would help ensure these types of vulnerabilities aren’t released to the public.
Where Does WordPress Go From Here?
To their credit, the team at WordPress began fixing the core vulnerabilities in their system as soon as they were notified. If you are currently using WordPress to power your website, then you need to download the latest version of WordPress. Version 5.8.3 contains fixes for these vulnerabilities along with other design updates.
If you are unsure about how to update your existing WordPress software, then reaching out to a web development professional for assistance is a wise move.