cbcvebase.
CVE-2021-44223
published 2021-11-25

CVE-2021-44223: WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
28.98%
97.9th percentile
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianwordpress< wordpress 5.8.1+dfsg1-1 (bookworm)wordpress 5.8.1+dfsg1-1 (bookworm)
wordpresswordpress< 5.85.8
wordpresswordpress>= 0 < 5.8.1+dfsg1-15.8.1+dfsg1-1
wordpresswordpress>= 0 < 5.8.1+dfsg1-15.8.1+dfsg1-1
wordpresswordpress>= 0 < 5.8.1+dfsg1-15.8.1+dfsg1-1

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable versions are WordPress before 5.8; absence of 'Update URI' plugin header support is the root condition enabling supply-chain plugin substitution attacks
  • ·The vulnerability is exploitable only when a site uses a plugin whose slug matches WordPress.org Plugin Directory naming constraints but the plugin is NOT yet registered/present in that directory — attackers can register the slug and push a malicious update.
  • ·Debian bullseye remains unfixed (open) as of the tracked data; fixed version on Debian is 5.8.1+dfsg1-1.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.