While the 5.9 version is about to arrive soon, the WordPress core team pushed a new WordPress update for 4 different security issues: CVE-2022-21661, CVE-2022-21662, CVE-2022-21663, and CVE-2022-21664. All of those issues except CVE-2022-21663 have a “High” rated CVSS score. The new patch fixes all of those issues.
The update is pushed as an automatic update. Because of that, most WordPress websites should be in a position of no security risk. However, the websites with read-only file systems or the ones configured for disabling the WordPress automatic updates using define( ‘WP_AUTO_UPDATE_CORE’, false ); in the wp-config.php file might not be updated. Those websites should immediately be updated to the latest version for security reasons.
The fixes included in WordPress 5.8.3 are also backported way back to WordPress 3.7 version. That means, even if your website is using one of the older WordPress versions, as long as the automatic core is not disabled, you will get relevant fixes for the aforementioned WordPress flaws.
Here are some details for the security issues:
- CVE-2022-21661: It has a CVSS score of 8.0 (High) and affects all of the WordPress versions older than 5.8.3. With this flaw, some plugins and themes open the door for SQL injection via WP_Query. The WordPress core alone can’t be exploited.
- CVE-2022-21662: It also has a CVSS score of 8.0 (High) and affects all of the WordPress versions older than 5.8.3. It allows users with post-publishing permissions as well as WooCommerce shop owners to completely take or the website or to create a malicious backdoor.
- CVE-2022-21663: It has a CVSS score of 6.6 (Medium) and it affects all of the WordPress versions older than 5.8.3. It allows code injections. It only affects multisite WordPress sites and it requires Super Administrator privileges. The flaw is only dangerous for multisite websites that have extremely high security which even restricts Super Admins from executing arbitrary code. Yes, it is super rare.
- CVE-2022-21664: It has a CVSS score of 7.4 (High) and it affects WordPress versions between 4.1 and 5.8.3. It allows blind SQL injection via WP_Meta_Query.
While the safe version is pushed as an automatic update, you can also download the latest version by visiting WordPress.org or just by checking the Updates tab on the WordPress interface.