Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.0087 WordPress 5.8.3 Security Release 7 January 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WordPress Publisher: WordPress Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Unknown/Unspecified Cross-site Scripting -- Unknown/Unspecified Access Confidential Data -- Unknown/Unspecified Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade Original Bulletin: https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/ - --------------------------BEGIN INCLUDED TEXT-------------------- WordPress 5.8.3 Security Release Posted January 6, 2022 by Jonathan Desrosiers . Filed under Releases , Security . This security release features four security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated. WordPress 5.8.3 is a short-cycle security release. The next major release will be version 5.9 , which is already in the Release Candidate stage. You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your Dashboard -> Updates and clicking Update Now. If you have sites that support automatic background updates, they've already started the update process. Security Updates Four security issues affect WordPress versions between 3.7 and 5.8. If you haven't yet updated to 5.8, all WordPress versions since 3.7 have also been updated to fix the following security issue (except where noted otherwise): o Props to Karim El Ouerghemmi and Simon Scannell of SonarSource for disclosing an issue with stored XSS through post slugs. o Props to Simon Scannell of SonarSource for reporting an issue with Object injection in some multisite installations. o Props to ngocnb and khuyenn from GiaoHangTietKiem JSC for working with Trend Micro Zero Day Initiative on reporting a SQL injection vulnerability in WP_Query. o Props to Ben Bidner from the WordPress security team for reporting a SQL injection vulnerability in WP_Meta_Query (only relevant to versions 4.1-5.8). Thank you to all of the reporters above for privately disclosing the vulnerabilities . This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked. Thank you to the members of the WordPress security team for implementing these fixes in WordPress. For more information, check out the 5.8.3 HelpHub documentation page . Thanks and props! The 5.8.3 release was led by @ desrosj and @ circlecube . In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.3 happen: Alex Concha , Dion Hulse , Dominik Schilling , ehtis , Evan Mullins , Jake Spurlock , Jb Audras , Jonathan Desrosiers , Ian Dunn , Peter Wilson , Sergey Biryukov , vortfu , and zieladam . - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYdfL6ONLKJtyKPYoAQhq4A/+MkLf5pXMb+274H2I+7nkc7Iy58hE7Kwz u9VZ5sXxS4DqwB+XLnaQwHURIwLxEk0o8STBsnUsWRpZNff3Caz5tNE+w6WnbqL0 83w1H5Nftnawi1QU4A52ufPasHDD1PDXqDD8OuO1Smg8th+Tqstx5TPOlSRLxviJ tPk8DuApNJ8cC2qGvYosCSM4t3/b9LWi+ahy3dJY/zW+x1fSH40nO0YfEiwfuWbl jv7vl9wFnYJx4cv8jzVS0+bfSbPXAcKoXkReVKI2ZxbMgEXAXUX+mKUjnQPtXj2l 1xNmA31+yEpvI33JiUeEazJLgq2OjohZWTdFogkwWN7roxufxk4Vh8zaWQEKTxJO azVFzB1y4QwdyPBeG0EwNBY/Oo8yi81QE8DAj176WiSVH5xT7lZnvisP2okE1JPu 2xF6pBmIEbswOelO0DlGWZlsbmtQ6xNF2MQs6m0lu2LV8FFwXKQTM1eu9TmvRGKP LnQM2NVoFtOwcBrLihs1J66/8XUAEyby5tdHV2fdfM0mvV4q6nwixPauOJaHyP3F eDdJ75BnBhOukriYpzp7emPyDo3mpDeLEUUgVsoEuX7BdUH7SfI0l5cHibR6S40n ohvMbSU8XqjKxsff1dVrTK/YO7ZCicRyPzcXBD+mXIo6Mivd4Oncd2Icabh5Ih+L oAP3Ly2Lr8c= =ZN3y -----END PGP SIGNATURE-----