Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 830715 (CVE-2022-21661, CVE-2022-21662, CVE-2022-21663, CVE-2022-21664) - <www-apps/wordpress-5.8.3: multiple vulnerabilities
Summary: <www-apps/wordpress-5.8.3: multiple vulnerabilities
Status: CONFIRMED
Alias: CVE-2022-21661, CVE-2022-21662, CVE-2022-21663, CVE-2022-21664
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://wordpress.org/news/2022/01/wo...
Whiteboard: B3 [glsa?]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-07 04:50 UTC by John Helmert III
Modified: 2022-01-08 20:28 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-07 04:50:18 UTC 
CVE-2022-21661 (https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-6676-cqfm-gw84):

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to improper sanitization in WP_Query, there can be cases where SQL injection is possible through plugins or themes that use it in a certain way. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this vulnerability.

CVE-2022-21662 (https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w):

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

CVE-2022-21663 (https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h):

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

CVE-2022-21664 (https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86):

WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. There are no known workarounds for this issue.

Fixes in 5.8.3, please bump.
Comment 1 Miroslav Šulc gentoo-dev 2022-01-07 08:00:36 UTC 
already bumped and 5.8.2 gone so we have only 5.8.3
Comment 2 filip ambroz 2022-01-08 11:40:21 UTC 
thank you, this seems to resolve the issue.. closing as invalid
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-08 20:28:19 UTC 
Not invalid, but needs GLSA vote.