61 WordPress Security Vulnerabilities Fixed

61 WordPress security vulnerabilities Fixed

A hacker called Polish hacker Michał Bentkowski has discovered 61 WordPress security vulnerabilities immediately after the release of WordPress 5.8.1. the security vulnerabilities in WordPress has been a pain in the neck for all its users and WordPress plugin security vulnerabilities is among the issues we are going to discuss the WordPress security issues list

WordPress Security Vulnerabilities

WordPress rolled out an update to its core codebase that includes mitigations against several troublesome security flaws such as

Just as fixing 61 bugs, WordPress 5.8.1, delivered yesterday (September 9), addresses an information openness weakness inside the REST Programming interface, an interface that permits modules and topics to communicate with the WordPress center.

It likewise fixes a cross-site prearranging (XSS) weakness in the Gutenberg block proofreader. This was found by a computer hacker called Polish hacker Michał Bentkowski, who said he revealed the bug “quite a while in the past” and would before long distribute a review.

This was discovered by Polish hacker Michał Bentkowski

Upstream security fixes for a long time in the Lodash JavaScript Library were additionally packaged into the WordPress discharge. These are evaluated from basic to high seriousness.

The update additionally incorporates 41 bug fixes on WordPress center, just as 20 bug fixes for the square proofreader.

Core Update

The open-source web goliath suggests that web administrators update their destinations to rendition 5.8.1 as quickly as time permits.

Form 5.8.1, the most recent major WordPress discharge, was carried out in July, expanding the Webpage Wellbeing administrator interface to make it simpler for engineers to incorporate their own tabs and permit site directors to explore their direction around the Website Wellbeing entry all the more without any problem.

It also added several new block editor features, support for the WebP image format, an ‘Update URI’ header for plugin developers, and changes to the REST API.

WordPress Security Issues List

Data exposure vulnerability within the REST API

Web: https://wordpress.org/support/wordpress-version/version-5-8-1/
Info: Information Disclosure in wp_die() via JSONP, leading to CSRF.
Core Track: https://core.trac.wordpress.org/changeset/51741/
CWE: CWE-200 (Information Disclosure), CWE-352 (CSRF)
CVE ID: CVE-2021-39200
H1 Report: https://hackerone.com/reports/1142140
CVSS3.0: 3.7 (base score)
Affected versions: 5.2 – 5.8
GitHub commit

Details & Impact: In affected versions of WordPress CMS output data of the function wp_die() can be leaked under certain conditions, which can include data like nonces. It can then be used to perform actions on your behalf.

wordpress security isses

Block Editor XSS vulnerability

Web: https://wordpress.org/support/wordpress-version/version-5-8-1/
Info: XSS vulnerability within the Gutenberg Block Editor
Core Track: https://core.trac.wordpress.org/changeset/51681
CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’))
CVSS3.0: N/A
Affected versions: 5.4 – 5.8

Details & Impact: An authenticated low-privileged user (contributor+) can perform Persistent/Stored XSS injections, which can lead to a complete compromise of the website.

Discovered by: Michał Bentkowski from Securitum.

The Lodash library update to version 4.17.21

Web: https://lodash.com
Info: Two vulnerabilities were fixed in Lodash library < 4.17.21
Core Track: https://core.trac.wordpress.org/changeset/51750
Versions update: From version 4.17.19 to version 4.17.21

Vulnerability #1: CWE-77 – Command Injection (published 15 Feb, 2021) [CVE-2021-23337]

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H – 7.2 base score (High)
GitHub commit | GitHub Advisories | CVE Detail

Vulnerability #2: Regular Expression DoS (published 15 Feb, 2021) [CVE-2020-28500]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L – 5.3 base score (Medium)
GitHub commit | CVE Detail

See more from the Patchstack database.

Update your WordPress to get these WordPress security issues fixed

We also want to thank all of the reporters for privately disclosing the vulnerabilities. By reporting privately, it will give the WordPress security team time to fix the vulnerabilities before WordPress sites could be attacked.

If you wish to learn more about vulnerabilities within your WordPress sites try out Patchstack.

You can see all the latest WordPress core, plugin, or theme vulnerabilities from the Patchstack vulnerability database.

WordPress 5.9 Relaese Date

The next major release will be version 5.9, currently in alpha, with beta 1 set for November 16 and a general release planned for December 14.

“The main goal for 2021 is getting full site editing to all WordPress users,” says executive director Josepha Haden Chomphosy.


WordPress 5.8.1 is now available and there are 3 WordPress security issues fixed in that version. Altogether this security and maintenance release features 61 bug fixes in addition to the 3 security fixes we will be focusing on in this article. Because this was a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.4 have also been updated.

If you have sites that support automatic updates, they’ve already started the update process.

WordPress Security Vulnerabilities FAQ

Why is WordPress not secure?

Why is my WordPress site not secure? Google says your WordPress website is not secure because your site doesn’t have an SSL certificate or has an SSL certificate that is poorly configured. The simplest way to resolve this Chrome error is to install an SSL certificate.

Is WordPress easily hacked?

Quite often, outdated software has vulnerabilities. So when WordPress administrators use outdated core, plugins, themes, and other software they expose security holes for hackers to exploit. Unfortunately, they do so quite often; outdated vulnerable software is one of the most common causes of hacked WordPress websites.

Is WordPress a security risk?

Yes, WordPress is safe. No software or website is entirely safe. If it’s connected to the internet, it will always have vulnerabilities or ways to break-in. However, the WordPress infrastructure is some of the best infrastructures built and is designed to be secure from hackers and attackers.

Is WordPress secure for payments?

The WordPress itself is secure enough to block cybercriminals from breaking into your site. When WordPress core is secure, it means that your website is partly protected too.

Subscribe to our newsletter!

[newsletter_form button_color=”#E74C3C”]

Related Articles