WordPress 5.8.3 fixes core vulnerabilities

A new WordPress security patch was announced and released yesterday that fixes four significant core security issues.

By default, all managed WordPress sites have automatic security updates enabled. As such, you should already be protected against the vulnerabilities mentioned below. If you have disabled automatic updates, you should update your WordPress installation as soon as possible.

Affected Versions

WordPress versions 3.7 through to 5.8.2 are affected by these vulnerabilities.

Discovery

According to the official 5.8.3 announcement from WordPress.org, three of the four vulnerabilities were discovered outside of the WordPress development and security teams.

The threats were privately disclosed to the WordPress security team, and the issues were patched before any sites could be attacked.

Known Vulnerabilities

1. An issue with storing cross site scripting (XSS) through post slugs.
2. An issue with object injection with some multisite installations.
3. An SQL injection vulnerability within WP_Query.
4. An SQL injection vulnerability within WP_Meta_Query with certain WordPress versions.

Upcoming Releases

This security release is expected to be the last 5.8 related patch on the road to the release of version 5.9 that is expected later this month.