WordPress has announced that it has patched a total of four security vulnerabilities within the WordPress Core.
These vulnerabilities are rated as high as an 8/10 in terms of danger level. It is recommended that you update your WordPress websites immediately to prevent your website from being attacked.
The four vulnerabilities that have been announced:
-
Due to lack of proper sanitization in
WP_Meta_Query, there’s potential for blind SQL Injection. (Moderate Severity) -
On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. (Low Severity)
- Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. (Moderate Severity)
-
Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. (High Severity)
What Is Sanitization?
Sanitization is the process of cleansing user input and ensuring dangerous characters are not inputted into the database that could allow a malicious user to gain administrator access to your website via SQL Injection.
WordPress Documentation describes data sanitation as:
Sanitization is the process of cleaning or filtering your input data. Whether the data is from a user or an API or web service, you use sanitizing when you don’t know what to expect or you don’t want to be strict with data validation.
What Is SQL Injection?
SQL Injection is one of the most common website hacking techniques that allows a user to run SQL Query’s unknowingly on your database when their input is not sanitized.