CVE-2021-44223

NameCVE-2021-44223
DescriptionWordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wordpress (PTS)stretch4.7.5+dfsg-2+deb9u6vulnerable
stretch (security)4.7.23+dfsg-0+deb9u1vulnerable
buster, buster (security)5.0.15+dfsg1-0+deb10u1vulnerable
bullseye (security), bullseye5.7.5+dfsg1-0+deb11u1vulnerable
bookworm, sid6.0+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wordpresssource(unstable)5.8.1+dfsg1-1

Notes

[bullseye] - wordpress <no-dsa> (Minor issue; workarounds/mitigation for older versions can be implemented)
[buster] - wordpress <no-dsa> (Minor issue; workarounds/mitigation for older versions can be implemented)
[stretch] - wordpress <no-dsa> (Minor issue; workarounds/mitigation for older versions can be implemented)
WordPress 5.8 introduces a new "Update URI" plugin header. Further mitigation
options documented in:
https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/
https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/

Search for package or bug name: Reporting problems