ADVISORY: Update WordPress to address security vulnerabilities

Monday, January 10, 2022

The information below was sent to U-M IT groups on January 10, 2022. It is intended for U-M IT staff who are responsible for university websites that use WordPress.

Summary

WordPress versions 3.7-5.8 are affected by multiple vulnerabilities that an attacker could exploit to take control of an affected website. These vulnerabilities are fixed with WordPress 5.8.3 Security Release.

Problem

Four security flaws in the core codebase of WordPress include:

  • SQL injection due to lack of data sanitization in WP_Meta_Query

  • Authenticated Object Injection in Multisites

  • Stored Cross Site Scripting (XSS) through authenticated users

  • SQL Injection through WP_Query due to improper sanitization

Affected Versions

WordPress 3.7-5.8

Action Items

Upgrade to WordPress 5.8.3 as soon as possible after appropriate testing. See WordPress 5.8.3 Security Release for details.

Threats

An attacker could potentially exploit the vulnerabilities to perform XSS and SQL injection against a vulnerable website.

How We Protect U-M

  • IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems.

  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.

  • IA provides vulnerability management guidance to the university.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.

References