CVE Vulnerabilities

CVE-2021-44223

Published: Nov 25, 2021 | Modified: Nov 30, 2021
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

Affected Software

Name Vendor Start Version End Version
Wordpress Wordpress * 5.8 (excluding)
Wordpress Ubuntu bionic *
Wordpress Ubuntu hirsute *
Wordpress Ubuntu impish *
Wordpress Ubuntu trusty *
Wordpress Ubuntu upstream *
Wordpress Ubuntu xenial *

References