WordPress update fixes a series of high-severity vulnerabilities

WordPress 5.9 Beta 1
(Image credit: WordPress)

Developers at WordPress have pushed out an automatic update to millions of users, patching their websites and eliminating multiple vulnerabilities. 

Some of these vulnerabilities were so severe that if exploited, could allow the attacker to completely take over the site, whereas others were less dangerous and required some level of admin access to be exploited.

In total, four vulnerabilities were patched with WordPress version 5.8.3. Webmasters and other administrators are advised to double-check the version of WordPress their site runs on, to make sure they cannot be targeted.

Big platform, big target

Analyzing the security release, WordPress security plugin developers Wordfence said the patch was backported to every version of WordPress since 3.7, the first version that supports automatic core updates for security releases. That means that practically all websites should be secure, as “any sites that remain vulnerable would only be exploitable under very specific circumstances.”

WordPress is the world’s most popular website builder, and as such, is often the target of malicious actors and other cyber crooks. It offers users a web store with thousands of plugins, many of which could carry dangerous vulnerabilities. 

Less than a month ago, it was reported that more than 800,000 WordPress websites were still vulnerable to a “simple” takeover vulnerability, due to not patching up the “All in One” SEO WordPress plugin.

Automattic security researcher Marc Montpas, who first spotted the flaws, said abusing these flaws on vulnerable sites is easy, as all the attacker needs to do is change “a single character to uppercase” to circumvent all privilege checks.

Roughly two months ago, a vulnerability in the Starter Templates - Elementor, Gutenberg & Beaver Builder Templates plugin, allowed contributor-level users to completely overwrite any page on the site, and embed malicious JavaScript at will. In this case, more than a million sites were at risk.

The same month, the “Preview E-mails for WooCommerce” plugin was also found to hold a serious flaw, potentially allowing attackers complete site takeover. The plugin was used by more than 20,000 sites. 

  • You might also want to check out our list of the best firewalls right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.