CVE-2021-44223
9.8
CRITICAL
CVSS 3.1
EPSS 27.5%
Description
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
How to fix CVE-2021-44223
To remediate CVE-2021-44223, upgrade the affected package to a fixed version below.
- —upgrade to 5.8.0 or later
- —upgrade to 5.8.0 or later
- —no fix listed
Is CVE-2021-44223 being exploited?
Moderate — EPSS is 27.5%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (3)
- from 0, < 5.8.0
- from 0, < 5.8.0
- from 0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |