Bug 2027154 (CVE-2021-44223) - CVE-2021-44223 wordpress: remote code execution via a supply-chain attack
Summary: CVE-2021-44223 wordpress: remote code execution via a supply-chain attack
Keywords:
Status: NEW
Alias: CVE-2021-44223
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2027155
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-29 03:06 UTC by Marian Rehak
Modified: 2023-07-07 08:35 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Marian Rehak 2021-11-29 03:06:36 UTC
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

External Reference:

https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/

Comment 1 Marian Rehak 2021-11-29 03:06:54 UTC
Created wordpress tracking bugs for this issue:

Affects: epel-7 [bug 2027155]


Note You need to log in before you can comment on or make changes to this bug.