Some nice finds in today’s WordPress 5.8.3 security release. Be sure to update. Props to all contributors for responsibly disclosing and coordinating fixes.
Security Updates
Four security issues affect WordPress versions between 3.7 and 5.8. If you haven’t updated to 5.8 yet, the older branches (since 3.7) were also patched to address these (where applicable):
- Stored XSS via post slugs — reported by Karim El Ouerghemmi and Simon Scannell of SonarSource.
- Object injection on some multisite installations — reported by Simon Scannell (SonarSource).
- SQL injection in
WP_Query— reported by ngocnb and khuyenn of GiaoHangTietKiem JSC via Trend Micro ZDI. - SQL injection in
WP_Meta_Query(relevant to versions 4.1–5.8) — reported by Ben Bidner, WordPress Security Team.
If automatic updates are disabled, schedule a maintenance window or update now. As always, back up the site and database first, and validate critical flows post-update.
NOC — Authoritative DNS, CDN & WAF
Accelerate and protect your sites with global DNS, edge caching, and an always-on web application firewall.
See Plans