2027154 – (CVE-2021-44223) CVE-2021-44223 wordpress: remote code execution via a supply-chain attack

Bug 2027154 (CVE-2021-44223) - CVE-2021-44223 wordpress: remote code execution via a supply-chain attack

Summary: CVE-2021-44223 wordpress: remote code execution via a supply-chain attack

Keywords:
Status:	NEW
Alias:	CVE-2021-44223
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2027155
Blocks:
TreeView+	depends on / blocked

Reported:	2021-11-29 03:06 UTC by Marian Rehak
Modified:	2023-07-07 08:35 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2021-11-29 03:06:36 UTC

WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

External Reference:

https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/

Comment 1 Marian Rehak 2021-11-29 03:06:54 UTC

Created wordpress tracking bugs for this issue:

Affects: epel-7 [bug 2027155]

Note You need to log in before you can comment on or make changes to this bug.