WordPress users should update to version 5.7.2 as soon as possible as the latest release of the world’s most popular CMS includes a security patch which addresses a critical vulnerability.
The vulnerability, tracked as CVE-2020-36326, affects WordPress versions 3.7 to 5.7 and has been given a critical severity rating of 9.8 as it could allow an attacker to perform a variety of malicious attacks against an unpatched site.
While the update containing the patch is now available to download manually, WordPress sites that have automatic downloads enabled will receive it without the need for any additional action.
Site owners should still check to see if they are running the latest version and if not, they should install it themselves to prevent falling victim to any potential attacks exploiting this vulnerability.
Object Injection flaw
The flaw itself is an Object Injection vulnerability found in WordPress’ PHPMailer component that is used to send emails by default.
According to the security firm Wordfence, all Object Injection vulnerabilities require a “POP Chain” in order to cause additional damage. This means that additional software with a vulnerable magic method would need to be running on a WordPress site to exploit this vulnerability, making it quite difficult to do.
In a new blog post, Wordfence’s Ram Gall explained how an attacker could potentially exploit this vulnerability, saying:
“Although anyone with direct access to PHPMailer might be able to inject a PHP object, warranting a critical severity rating in the PHPMailer component itself, WordPress does not allow users this type of direct access. Instead, all access occurs through functionality exposed in core and in various plugins. In order to exploit this, an attacker would need to find a way to send a message using PHPMailer and add an attachment to that message. Additionally, the attacker would need to find a way to completely control the path to the attachment.”
Although it would be quite difficult for an attacker to exploit this vulnerability in the wild, site owners should still update WordPress core to the latest version if they have not done so already.
