WordPress has announced version 5.8.1 as a new security and maintenance release. It is important to ensure that you update WordPress so that security issues are fixed.
What security issues are there?
The three security vulnerabilities that are fixed are:
- A data exposure vulnerability within the REST API.
- Cross-Site Scripting (XSS) vulnerability in the Gutenburg blog editor.
- Multiple critical to high severity vulnerabilities in the Lodash JavaScript Library.
What has WordPress said?
The official WordPress announcement recommends updating:
“Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.4 have also been updated.”
You can see their official announcement of this security and maintenance release here
It is important to note that as WordPress has recommended updating immediately, it shows that this needs to be done immediately as these vulnerabilities are concerning!
REST API Vulnerability
The WordPress REST API is the interface that allows plugins and themes to interact with the WordPress core.
This vulnerability is described as a data exposure vulnerability, which means that sensitive information can be accessed – such as passwords to data that could mount an attack through another vulnerability.
WordPress Gutenburg XSS Vulnerability
Cross-Site scripting vulnerabilities happen whenever there is input on a site that is not sanitised and scripts can be uploaded by unauthorised people that cause unwanted behaviour.
The Open Web Application Security Project (OWASP) describes the potential harm of XSS vulnerabilities:
“An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script.
Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.”
This specific vulnerability affects the Gutenberg block editor.
WordPress Lodash JavaScript Library Vulnerabilities
These vulnerabilities may be the most concerning. The Lodash JavaScript library is a set of scripts used by developers that have been found to have multiple vulnerabilities.
The latest and safest version is Lodash 4.17.21.
The U.S. Homeland Security sponsored CVE List website details the vulnerability:
“Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.”
There appear to be many other vulnerabilities affecting the Lodash library in the 4.1.7 branch as well.
Read more about this new release and the vulnerabilities
If you would like to read more about the WordPress version 5.8.1 release, you can find out more information in this Search Engine Journal article here.
Do you have a website and would you like support with updates?
Here at O’Brien Media, we are WordPress lovers and experts!
If you like to take away the hassle of performing updates yourself and want to ensure that your site is always up to date, take a look at our Hosting and Support plans here.