WordPress 5.8.3 fixes core vulnerabilities
A new WordPress security patch was announced and released yesterday that fixes four significant core security issues.
By default, all managed WordPress sites have automatic security updates enabled. As such, you should already be protected against the vulnerabilities mentioned below. If you have disabled automatic updates, you should update your WordPress installation as soon as possible.
Affected Versions
WordPress versions 3.7 through to 5.8.2 are affected by these vulnerabilities.
Discovery
According to the official 5.8.3 announcement from WordPress.org, three of the four vulnerabilities were discovered outside of the WordPress development and security teams.
The threats were privately disclosed to the WordPress security team, and the issues were patched before any sites could be attacked.
Known Vulnerabilities
- An issue with storing cross site scripting (XSS) through post slugs.
- An issue with object injection with some multisite installations.
- An SQL injection vulnerability within
WP_Query
. - An SQL injection vulnerability within
WP_Meta_Query
with certain WordPress versions.
Upcoming Releases
This security release is expected to be the last 5.8 related patch on the road to the release of version 5.9 that is expected later this month.