WordPress 5.8.1 released to fix several vulnerabilities

WordPress has announced a security and maintenance release, version 5.8.1. It is important to update WordPress, especially versions 5.4 to 5.8 in order to fix three security issues.

WordPress security and maintenance version 5.8.1

It is not uncommon for WordPress or any other software to release a bug fix update following a major version update in order to address unforeseen issues and introduce improvements that did not. were made in time for the major release.

In WordPress, these updates are called a maintenance release.

This update also includes a security update, which is somewhat rare for the WordPress core. This makes this update more important than the classic maintenance version.

Advertising

Continue reading below

WordPress security issues resolved

WordPress 5.8.1 fixes three vulnerabilities:

  1. A data exposure vulnerability within the REST API
  2. Cross-Site Scripting (XSS) vulnerability in Gutenberg block editor
  3. Several critical high severity vulnerabilities in the Lodash JavaScript library

The above three vulnerabilities are of such concern that the WordPress announcement recommends updating WordPress installations immediately.

REST API vulnerability

The WordPress REST API is an interface that allows plugins and themes to interact with the WordPress core.

The REST API has been a source of security vulnerabilities, including most recently with the Gutenberg Template Library & Redux Framework vulnerability which affected over one million websites.

Advertising

Continue reading below

This vulnerability is described as a data exposure vulnerability, which means that sensitive information could be revealed. There are no further details at this time regarding the type of information, but it could be as serious as data passwords that could be used to launch an attack through another vulnerability.

WordPress Gutenberg XSS vulnerability

Cross-Site Scripting (XSS) vulnerabilities occur relatively frequently. They can occur whenever there is user input such as a contact or email form, any type of input that is not “cleaned up” to prevent uploading scripts that can trigger behavior. unwanted in the WordPress installation.

The Open Web Application Security Project (OWASP) describes the potential damage from XSS vulnerabilities:

“An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way of knowing that the script should not be trusted and will run the script.

Because it believes the script is from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information kept by the browser and used with this site. These scripts can even rewrite the content of the HTML page.

This specific vulnerability affects the Gutenberg block editor.

Advertising

Continue reading below

WordPress Lodash JavaScript Library Vulnerabilities

These vulnerabilities are perhaps the most worrying. The Lodash JavaScript library is a set of scripts used by developers that have multiple vulnerabilities.

The most recent and secure version is Lodash 4.17.21.

The US Homeland Security sponsored CVE List website details the vulnerability:

“Lodash versions prior to 4.17.21 are vulnerable to command injection through the template function.”

It seems that there are also many other vulnerabilities affecting the Lodash library in the 4.1.7 branch.

WordPress requests immediate update

These security vulnerabilities add a sense of urgency to this update. All editors are recommended by WordPress to update.

Advertising

Continue reading below

The official WordPress announcement recommends updating:

“Because this is a security version, it is recommended that you update your sites immediately. All versions since WordPress 5.4 have also been updated.

Quotes

WordPress security and maintenance version 5.8.1

Description of the Lodash CVE vulnerability CVE-2021-23337

Comments are closed.