WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
| Link | Tags |
|---|---|
| https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release/ | release notes vendor advisory |
| https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h | third party advisory |
| https://www.debian.org/security/2022/dsa-5039 | third party advisory vendor advisory |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3/ | vendor advisory |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG/ | vendor advisory |
| https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html | third party advisory mailing list |
| https://blog.sonarsource.com/wordpress-object-injection-vulnerability/ | third party advisory exploit |