On January 6, 2022, the WordPress core team released WordPress version 5.8.3, which contains security patches for 4 high-severity vulnerabilities. These patches were backported to every version of WordPress since 3.7.
WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites will have received these patches automatically and are no longer vulnerable.
Let me repeat that. Most WordPress sites are not in danger from these vulnerabilities, thanks to the WordPress core team deploying patches to all sites that allow automatic core updates for security patches, which is the default behavior.
Sites on read-only filesystems as well as sites that have explicitly disabled automatic core updates via setting define( ‘WP_AUTO_UPDATE_CORE’, false ); in wp-config.php may not yet have updated, and we urge owners of these sites to do so as soon as possible.
Vulnerability Analysis
As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain secure. Wordfence protects against all vulnerabilities addressed in this release of WordPress core, and as an additional precaution we have released a new firewall rule to protect against the cross site scripting vulnerability that was fixed in this release. This rule has been deployed to Wordfence Premium users.
Even if you are running Wordfence Premium, we encourage you to update WordPress core on all your sites at your earliest convenience, if you have not already been automatically updated.
Leave a comment