CVE-2021-44223
Published: 25 November 2021
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
Priority
Status
Package | Release | Status |
---|---|---|
wordpress Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Not vulnerable
(5.8.1+dfsg1-2ubuntu1)
|
|
kinetic |
Not vulnerable
(5.8.1+dfsg1-2ubuntu1)
|
|
lunar |
Not vulnerable
(5.8.1+dfsg1-2ubuntu1)
|
|
mantic |
Not vulnerable
(5.8.1+dfsg1-2ubuntu1)
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Released
(5.8.1+dfsg1-1)
|
|
xenial |
Needs triage
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |