Object Injection Vulnerability in WP 3.5 to 5.7.1

Hi, in the last few days a vulnerability was discovered in WordPress in all versions from 3.5 to 5.7.1.
I don’t know if this is just a way of ensuring that everyone updates to the new WP version, but of course I would like to know how far this gap also affects CP and whether a security update is planned.

Thanks for any info!

1 Like

There’s a discussion on Slack about this. Here’s what @james said:

XXE vulnerability within the media library affecting PHP 8 won’t affect CP because we don’t support PHP 8 yet (shouldn’t affect WP 4.9 either for the same reason, the WP post looks misleading here)

data exposure vulnerability within the REST API looks to be an edge case regarding password-protected posts and special permissions assigned by plugins, we will accept this patch.

the version of these changes that we’ll take is the one released with WP 4.9.17 - https://github.com/WordPress/wordpress-develop/compare/4.9.16...4.9.17

2 Likes

Ok, thanks for the quick response.

3 Likes