Security researchers reported that an Object Injection Vulnerability is found in WordPress. The vulnerability impact has been rated as “critical” by the National Vulnerability Database. WordPress users should patch their sites as soon as possible.
The Critical Object Injection Vulnerability
The Object injection in PHPMailer security issue which is addressed by two vulnerabilities – CVE-2020-36326 and CVE-2018-19296, has alerted the cybersecurity space.
The flaw is rated at near the highest level of danger. On a scale of 1 to 10 using the Common Vulnerability Scoring System (CVSS), the latest CVE-2020-36326 is rated at 9.8.
The Owasp.org security website describes this PHP Object Injection vulnerability in the following way:
PHP Object Injection is an application-level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal, and Application Denial of Service, depending on the context.
According to an analysis of the official United States government National Vulnerability Database, the problem happened because of a fix for the previous vulnerability (CVE-2018-19296) which is also associated with the PHPMailer module. Apparently, the previous fix created a new vulnerability that demanded the immediate release of a WordPress update.
The critical WordPress vulnerability has been patched. The patch updates the WordPress system to version 5.7.2.
How to Update WordPress to Version 5.7.2
Which WordPress versions are affected by this critical vulnerability? Actually, the security issue is reported to affect WordPress versions between 3.7 and 5.7. Happily, all WordPress versions since 3.7 have been updated to fix the Object injection in PHPMailer vulnerability.
All sites that are set to download available updates automatically should be up to date now. In such a case publishers don’t have to take any additional actions. Still, all publishers are encouraged to check what WordPress version they are using and ensure that their sites are updated to version 5.7.2.
Site owners could also update to WordPress 5.7.2 manually by downloading the patch from WordPress.org, or visiting the WordPress Dashboard, selecting Updates, and clicking Update Now.