CVE-2021-44223
Last modified
CVE-2021-44223 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.. EPSS estimates a 28.98% chance of exploitation in the next 30 days.
Description
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Wordpress | Wordpress | < 5.8 |
References
- https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/Release Notes, Vendor Advisory
- https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/Exploit, Third Party Advisory
- https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/Release Notes, Vendor Advisory
- https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-44223?
How severe is CVE-2021-44223?
How do I fix CVE-2021-44223?
Are you affected by CVE-2021-44223?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST