The vulnerability, tracked as CVE-2020-36326, affects WordPress versions 3.7 to 5.7 and has been given a critical severity rating of 9.8 as it could allow an attacker to perform a variety of malicious attacks against an unpatched site.
While the update containing the patch is now available to download manually, WordPress sites that have automatic downloads enabled will receive it without the need for any additional action.
- We've built a list of the best managed WordPress hosting providers
- These are the best web hosting services for your website
- Also check out our roundup of the best website builder
Site owners should will still need to check and see if they are running the latest version and if not, they should install it themselves to prevent falling victim to any potential attacks exploiting this vulnerability.
Object Injection flaw
The flaw itself is an Object Injection vulnerability found in WordPress' PHPMailer component that is used to send emails by default.
According to the security firm Wordfence, all Object Injection vulnerabilities require a “POP Chain” in order to cause additional damage. This means that additional software with a vulnerable magic method would need to be running on a WordPress site to exploit this vulnerability, making it quite difficult to do.
In a new blog post, Wordfence's Ram Gall explained how an attacker could potentially exploit this vulnerability, saying:
“Although anyone with direct access to PHPMailer might be able to inject a PHP object, warranting a critical severity rating in the PHPMailer component itself, WordPress does not allow users this type of direct access. Instead, all access occurs through functionality exposed in core and in various plugins. In order to exploit this, an attacker would need to find a way to send a message using PHPMailer and add an attachment to that message. Additionally, the attacker would need to find a way to completely control the path to the attachment.”
Although it would be quite difficult for an attacker to exploit this vulnerability in the wild, site owners are being encouraged to still update their WordPress core to the latest version if they have not done so already.
- We've also featured the best free web hosting