Snynet Solution Logo
MON - SUN: 10 AM - 6 PM
+60 11 5624 8319

Blog

WordPress 5.7.2 release contains a fix for a critical vulnerability

Image Description

WordPress users should update to version 5.7.2 as soon as possible as the latest release of the world's most popular CMS includes a security patch which addresses a critical vulnerability.

The vulnerability, tracked as CVE-2020-36326, affects WordPress versions 3.7 to 5.7 and has been given a critical severity rating of 9.8 as it could allow an attacker to perform a variety of malicious attacks against an unpatched site.

While the update containing the patch is now available to download manually, WordPress sites that have automatic downloads enabled will receive it without the need for any additional action. 

Site owners should still check to see if they are running the latest version and if not, they should install it themselves to prevent falling victim to any potential attacks exploiting this vulnerability.

Object Injection flaw

The flaw itself is an Object Injection vulnerability found in WordPress' PHPMailer component that is used to send emails by default.

According to the security firm Wordfence, all Object Injection vulnerabilities require a “POP Chain” in order to cause additional damage. This means that additional software with a vulnerable magic method would need to be running on a WordPress site to exploit this vulnerability, making it quite difficult to do.

In a new blog post, Wordfence's Ram Gall explained how an attacker could potentially exploit this vulnerability, saying:

“Although anyone with direct access to PHPMailer might be able to inject a PHP object, warranting a critical severity rating in the PHPMailer component itself, WordPress does not allow users this type of direct access. Instead, all access occurs through functionality exposed in core and in various plugins. In order to exploit this, an attacker would need to find a way to send a message using PHPMailer and add an attachment to that message. Additionally, the attacker would need to find a way to completely control the path to the attachment.” 

Although it would be quite difficult for an attacker to exploit this vulnerability in the wild, site owners should still update WordPress core to the latest version if they have not done so already.

Via Search Engine Journal

Date

17 May 2021

Sources

Share

Other Blog

  • AMD Big Navi gets the better of Nvidia Ampere in GPU memory latency test

    AMD has pulled off quite a feat here given how the on-board cache is implemented in these respective graphics cards.

    Read More

  • How to catch the Tokyo Olympics in India - Plus complete schedule of Indian players

    The Tokyo Olympic games, which were delayed by a year due to the pandemic, will see six new sports and 15 new 'events'. The new sports are baseball, softball, karate, sport climbing, surfing, and skateboarding.

    Read More

  • Nvidia might finally have made video conferencing OK

    Nvidia has developed a new GPU-accelerated AI video conferencing platform to improve the quality of video calls.

    Read More

  • AMD RX 6600 XT GPU leak suggests that 8GB VRAM may not be the only disappointment

    New leakage has provided some interesting details on both desktop and laptop versions of RX 6600 GPUs.

    Read More

Find Out More About Us

Want to hire best people for your project? Look no further you came to the right place!

Contact Us