The WordPress 5.8.3 security release addresses four vulnerabilities affecting versions between 3.7 and 5.8, it is labeled as a short-cycle security release. The organization announced that the next major release will be version 5.9, which is already in the Release Candidate stage.
Two of the vulnerabilities addressed with this release are SQL injection issues; a first vulnerability resides in the WP_Query and was reported by ngocnb and khuyenn from GiaoHangTietKiem JSC through Trend Micro Zero Day Initiative; the second vulnerability affects WP_Meta_Query and was discovered by Ben Bidner of the WordPress security team, it is only relevant to versions 4.1-5.8.
The third vulnerability is a stored XSS through post slugs that was discovered by Karim El Ouerghemmi and Simon Scannell from SonarSource.
The fourth vulnerability is an object injection in some multisite installations that was reported by Simon Scannell of SonarSource.
All of the above vulnerabilities were privately reported to WordPress giving the security team time to address them before they could be exploited to compromise WordPress sites.
Users can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your Dashboard → Updates and clicking Update Now.
WordPress websites are a privileged target for threat actors, recently Wordfence researchers spotted a massive wave of attacks that was targeting over 1.6 million WordPress sites from 16,000 IPs.
(SecurityAffairs – hacking, WordPress 5.8.3)