ADVISORY: Upgrade WordPress to version 5.8.1 to address vulnerabilities

Friday, September 10, 2021

The information below was sent to U-M IT groups on September 10, 2021. It is intended for U-M IT staff who are responsible for university websites that use WordPress.

Summary

WordPress 5.4-5.8 are affected by multiple vulnerabilities that an attacker could exploit to take control of an affected website. These vulnerabilities are fixed with WordPress 5.8.1 Security and Maintenance Release.

Problem

Three security flaws in the core codebase of WordPress include:

  • Data exposure vulnerability within the REST API, an interface that allows plugins and themes to interact with WordPress core.

  • Cross-site scripting (XSS) vulnerability in the Gutenberg block editor.

  • Multiple vulnerabilities in the Lodash JavaScript Library that are rated critical to high severity.

Affected Versions

WordPress 5.4-5.8

Action Items

Upgrade to WordPress 5.8.1 as soon as possible after appropriate testing. See WordPress 5.8.1 Security and Maintenance Release for details.

Threats

An attacker could exploit the vulnerabilities to take control of an affected website.

How We Protect U-M

  • IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems.

  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.

  • IA provides vulnerability management guidance to the university.

Information for Users

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.

References