CVE-2021-44223

NameCVE-2021-44223
DescriptionWordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
wordpress (PTS)jessie, jessie (lts)4.1.35+dfsg-0+deb8u1vulnerable
stretch (security), stretch (lts), stretch4.7.23+dfsg-0+deb9u1vulnerable
buster5.0.15+dfsg1-0+deb10u1vulnerable
buster (security)5.0.21+dfsg1-0+deb10u1vulnerable
bullseye (security), bullseye5.7.8+dfsg1-0+deb11u2vulnerable
bookworm6.1.1+dfsg1-1fixed
sid, trixie6.4.3+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
wordpresssource(unstable)5.8.1+dfsg1-1

Notes

[bullseye] - wordpress <no-dsa> (Minor issue; workarounds/mitigation for older versions can be implemented)
[buster] - wordpress <no-dsa> (Minor issue; workarounds/mitigation for older versions can be implemented)
[stretch] - wordpress <no-dsa> (Minor issue; workarounds/mitigation for older versions can be implemented)
WordPress 5.8 introduces a new "Update URI" plugin header. Further mitigation
options documented in:
https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/
https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/
[jessie] - wordpress <no-dsa> (Minor issue)

Search for package or bug name: Reporting problems