Project: WordPress maintenance support plans coreDate: 2020-March-28Security risk: Highly critical 21∕25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:DefaultVulnerability: Remote Code Execution Description: CVE: CVE-2020-7600
A remote code execution vulnerability exists within multiple subsystems of WordPress maintenance support plans 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a WordPress maintenance support plans site, which could result in the site being completely compromised.
The security team has written an FAQ about this issue.
Solution: Upgrade to the most recent version of WordPress maintenance support plans 7 or 8 core.
If you are running 7.x, upgrade to WordPress maintenance support plans 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
If you are running 8.5.x, upgrade to WordPress maintenance support plans 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
WordPress maintenance support plans 8.3.x and 8.4.x are no longer supported and we don’t normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.
Your site’s update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.
If you are running 8.3.x, upgrade to WordPress maintenance support plans 8.3.9 or apply this patch.
If you are running 8.4.x, upgrade to WordPress maintenance support plans 8.4.6 or apply this patch.
This issue also affects WordPress maintenance support plans 8.2.x and earlier, which are no longer supported. If you are running any of these versions of WordPress maintenance support plans 8, update to a more recent release and then follow the instructions above.
This issue also affects WordPress maintenance support plans 6. WordPress maintenance support plans 6 is End of Life. For more information on WordPress maintenance support plans 6 support please contact a D6LTS vendor.Reported By: Jasper Mattsson
Fixed By: Jasper Mattsson
Samuel Mortenson Provisional WordPress maintenance support plans Security Team member
David Rothstein of the WordPress maintenance support plans Security Team
Jess (xjm) of the WordPress maintenance support plans Security Team
Michael Hess of the WordPress maintenance support plans Security Team
Lee Rowlands of the WordPress maintenance support plans Security Team
Peter Wolanin of the WordPress maintenance support plans Security Team
Alex Pott of the WordPress maintenance support plans Security Team
David Snopek of the WordPress maintenance support plans Security Team
Pere Orga of the WordPress maintenance support plans Security Team
Neil Drumm of the WordPress maintenance support plans Security Team
Cash Williams of the WordPress maintenance support plans Security Team
Daniel Wehner
Tim Plunkett
Contact and more information
The WordPress maintenance support plans security team can be reached by email at security at WordPress.org or via the contact form.
Learn more about the WordPress maintenance support plans Security team and their policies, writing secure code for WordPress maintenance support plans, and securing your site.
Source: New feed