23 Feb WordPress Core Vulnerabilities: What You Need to Know
Earlier this month, WordPress released a security statement to announce it has pushed out an automatic update on version 5.8.2 to patch (which is dev lingo for ‘fix’) severe vulnerabilities in WordPress websites . These flaws were announced by the WordPress development team itself and can impact all WordPress websites, so it is important to ensure that your website is being maintained with updates to the CMS, theme and plugins while also being sure that your website is regularly backed up as a safety precaution.
Essentially, a vulnerability is a weakness or flaw in a website that can be exploited by hackers and cyber attackers. Most of the time, hackers don’t single-out a specific website – they simply use “crawlers” to find vulnerabilities on websites and then make use of that vulnerability to gain access to the backend of your website, which can result in them getting their hands on important information like client details, credit card information, contact info, and access to social platforms which is later sold to unethical marketers or online criminals.
Being the world’s biggest and most widely used website builder makes WP a pretty big target for web attackers, which means these vulnerabilities should be taken very seriously. In fact, these vulnerabilities in particular were so severe, that if an attacker were to exploit them, they would be able to completely take over the site. Yikes! So, here’s the lowdown on what you need to know, to ensure your website is safe and secure.
Who does it affect?
Automated core updates were introduced back in 2013 on WordPress 3.7, and according to official statistics, about 0.7% of all WordPress sites are currently running a version older than that. This means that sites using WordPress 5.8.2 or older could be vulnerable to attacks.
WordPress vulnerabilities
The following four vulnerabilities were patched with WordPress version 5.8.3, three of which are rated of very high importance.
SQL Injection through WP_Query due to improper sanitization
- Severity level rating: high 8.0
- This flaw is exploitable via plugins and themes that use WP-Query.
- The fixes cover WordPress versions down to 3.7.37
Stored Cross Site Scripting (XSS) through authenticated users
- Severity level rating: high 8.0
- Vulnerability allows authors with lower privilege users to add a malicious backdoor or take over a site by abusing post slugs.
- The fixes cover WordPress versions down to 3.7.37
SQL injection due to lack of data sanitization in WP_Meta_Query
- Severity level rating: high 7.4
- Fixes cover WordPress versions down to 4.1.34
Authenticated Object Injection in Multisites
- Severity level rating: medium 6.6
- Can only be exploited if a threat actor (anyone with an intent to cause harm to your cyber security) has compromised the admin account.
- The fixes cover WordPress versions down to 3.7.37
I have a WordPress site, now what?
Contact your webmaster or administrator to double-check which version your site runs on, to ensure it cannot be targeted. It’s imperative that your WordPress Installation is updated to the latest version 5.8.3 immediately, as well as review your firewall configuration, and ensure that WP core updates are activated.
The importance of website maintenance
This WordPress security update is a perfect example of just how crucial it is to regularly maintain your site. In the same way that you need to frequently service your car to keep it in good nick, the same goes for your website to ensure site security, increase SEO, as well as many other benefits.
Need a hand?
If ‘patches’ and ‘data sanitization’ sound like gobbledygook, or you simply need a team to manage your website maintenance so that you can focus on what you do best, then look no further than our experienced Digital Marketing Company. Make sure you contact the SOMS Digital Marketing team today for a tailored package that suits your unique needs and budget.
Originally posted 2022-01-14 11:46:31.