Vulnerability Description
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wordpress | Wordpress | < 5.8 |
References
- https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-Release NotesVendor Advisory
- https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwnExploitThird Party Advisory
- https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-Release NotesVendor Advisory
- https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwnExploitThird Party Advisory
FAQ
What is CVE-2021-44223?
CVE-2021-44223 is a vulnerability with a CVSS score of 8.1 (HIGH). WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that ...
How severe is CVE-2021-44223?
CVE-2021-44223 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-44223?
Check the references section above for vendor advisories and patch information. Affected products include: Wordpress Wordpress.