CVE-2021-44223
published 2021-11-25CVE-2021-44223: WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
28.98%
97.9th percentile
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | < wordpress 5.8.1+dfsg1-1 (bookworm) | wordpress 5.8.1+dfsg1-1 (bookworm) |
| wordpress | wordpress | < 5.8 | 5.8 |
| wordpress | wordpress | >= 0 < 5.8.1+dfsg1-1 | 5.8.1+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.8.1+dfsg1-1 | 5.8.1+dfsg1-1 |
| wordpress | wordpress | >= 0 < 5.8.1+dfsg1-1 | 5.8.1+dfsg1-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable versions are WordPress before 5.8; absence of 'Update URI' plugin header support is the root condition enabling supply-chain plugin substitution attacks ↗
- ·The vulnerability is exploitable only when a site uses a plugin whose slug matches WordPress.org Plugin Directory naming constraints but the plugin is NOT yet registered/present in that directory — attackers can register the slug and push a malicious update. ↗
- ·Debian bullseye remains unfixed (open) as of the tracked data; fixed version on Debian is 5.8.1+dfsg1-1. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m8cv-g4gv-cx2g: WordPress before 5
ghsa_unreviewed·2022-05-24
CVE-2021-44223 [CRITICAL] GHSA-m8cv-g4gv-cx2g: WordPress before 5
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
OSV
CVE-2021-44223: WordPress before 5
osv·2021-11-25·CVSS 9.8
CVE-2021-44223 [CRITICAL] CVE-2021-44223: WordPress before 5
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
Debian
CVE-2021-44223: wordpress - WordPress before 5.8 lacks support for the Update URI plugin header. This makes ...
vendor_debian·2021·CVSS 8.1
CVE-2021-44223 [HIGH] CVE-2021-44223: wordpress - WordPress before 5.8 lacks support for the Update URI plugin header. This makes ...
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
Scope: local
bookworm: resolved (fixed in 5.8.1+dfsg1-1)
bullseye: open
forky: resolved (fixed in 5.8.1+dfsg1-1)
sid: resolved (fixed in 5.8.1+dfsg1-1)
trixie: resolved (fixed in 5.8.1+dfsg1-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/
2021-11-25
Published