Update WordPress to address security vulnerabilities

This message is intended for U-M IT staff who are responsible for university web servers that run WordPress.

Summary

WordPress versions 6.8, 6.9, 7.0, and 7.1 are affected by vulnerabilities that an attacker could exploit to take control of an affected website. These vulnerabilities are fixed with WordPress 7.0.2 Security Release.

Problem

Two vulnerabilities impact multiple versions of WordPress:

  • A facilitated SQL injection issue.
  • A REST API batch-route confusion and SQL injection issue leading to Remote Code Execution.

Threats

Due to low complexity of attack, widespread exploitation may be likely.

Affected Versions

  • WordPress 7.0 prior to version 7.0.2 is affected by both vulnerabilities.
  • WordPress 6.9 prior to version 6.9.5 is affected by both vulnerabilities.
  • WordPress 6.8 prior to version 6.8.6 is only affected by the first vulnerability.
  • The beta release of WordPress 7.1 is affected by both vulnerabilities.

Note: Versions of WordPress prior to 6.8 are not affected.

Websites that are protected by Cloudflare Web Application Firewall (WAF) have reduced exposure to attack, but these protections are not a substitute for patching. 

Action Items

Upgrade to a fixed version WordPress as soon as possible:

  • For WordPress 7.0, version 7.0.2 has been released
  • For WordPress 6.9, version 6.9.5 has been released
  • For WordPress 6.8, version 6.8.6 has been released
  • For the beta release of WordPress 7.1, version 7.1 beta2 has been released

The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

WordPress installations and auto-updates

  • WordPress installations in hosting environments that facilitate auto-updates and that are configured to auto-update will automatically receive these updates. 
  • WordPress installations in U-M Pantheon web hosting and U-M afs-based web hosting environments will NOT be auto-updated.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.