Login Sign Up

CVE-2021-44223

8.1 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code via supply-chain attacks against WordPress installations. Attackers can trick WordPress into updating plugins from malicious repositories when plugin slugs match WordPress.org naming conventions but aren't actually in the official directory. All WordPress sites using plugins are affected if they run versions before 5.8.

💻 Affected Systems

Products:
  • WordPress
Versions: All versions before 5.8
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations using plugins. The vulnerability requires attackers to control or compromise a plugin repository.

📦 What is this software?

Wordpress by Wordpress

View all CVEs affecting Wordpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise with remote code execution leading to data theft, defacement, or ransomware deployment.

🟠

Likely Case

Malicious plugin installation leading to backdoor persistence, credential theft, or site takeover.

🟢

If Mitigated

Update failures or warnings when attempting to update from unofficial sources.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing and attackers can exploit remotely.
🏢 Internal Only: MEDIUM - Internal WordPress sites could be targeted via phishing or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires convincing users to install plugins from unofficial sources or compromising existing plugin update mechanisms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: WordPress 5.8 and later

Vendor Advisory: https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Dashboard > Updates
3. Click 'Update Now' if WordPress 5.8+ is available
4. Alternatively, manually download WordPress 5.8+ from wordpress.org and replace files via FTP/SFTP

🔧 Temporary Workarounds

Add Update URI Header to Custom Plugins

all

Manually add Update URI headers to custom plugins to prevent WordPress from checking WordPress.org for updates

Add this line to plugin's main PHP file: /*
 * Plugin Name: Your Plugin
 * Update URI: https://example.com/your-update-server/
 */

Disable Plugin Auto-updates

all

Prevent automatic plugin updates that could pull from malicious sources

Add to wp-config.php: define('AUTOMATIC_UPDATER_DISABLED', true);

🧯 If You Can't Patch

  • Only install plugins from official WordPress.org repository or trusted sources with verified Update URI headers
  • Implement web application firewall rules to block suspicious plugin update requests

🔍 How to Verify

Check if Vulnerable:

Check WordPress version in admin dashboard or examine wp-includes/version.php file for version number

Check Version:

php -r "include('wp-includes/version.php'); echo \$wp_version;"

Verify Fix Applied:

Confirm WordPress version is 5.8 or higher in admin dashboard or via version.php

📡 Detection & Monitoring

Log Indicators:

  • Unusual plugin update requests from non-WordPress.org domains
  • Failed update attempts with error messages about repository access

Network Indicators:

  • Outbound connections to unusual domains during plugin update checks
  • HTTP requests to non-standard update servers

SIEM Query:

source="wordpress.log" AND ("update" AND "plugin" AND NOT "wordpress.org")

📊 Metadata

CVE ID: CVE-2021-44223
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: November 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON