WordPress introduces an emergency patch for four critical vulnerabilities. WordPress 5.8.3 is available immediately.
WP_Meta_Query and WP_Query, two of the content management system’s classes, were found to be vulnerable to SQL injection attacks. Furthermore, XXS attacks were enabled by post slugs (the extensions of URLs). Some of WordPress’ multisites were susceptible to PHP object injection. The latter creates the risk of remote code execution (RCE).
WordPress 5.8.3 resolves each vulnerability. According to the US National Vulnerability Database, the vulnerabilities are critical. Patching is recommended.
Since the end of 2021, WordPress developers have been struggling with pressure. The team hoped to release the platform’s next major release (5.9) in December 2021. The schedule proved unrealistic. 5.9 has been delayed until January 25, 2022.
Addison Stavlo, one of the open-source platform’s developers, described the development process of 5.9 as a “red flag” and “dangerously rushed”. Search Engine Journal, an online medium, speculated that the vulnerabilities could have been prevented with more room and attention for security. Although there’s truth to the message, work pressure is temporary. The vulnerabilities have been present since 2013.