CVE-2021-44223
HIGHWordPress < 5.8 - Remote Code Execution via Plugin Update URI Spoofing
Title source: llmDescription
WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://vavkamil.cz/2021/11/25/wordpress-plugin-confusion-update-can-get-you-pwned/
Release Notes, Vendor Advisory x_refsource_misc
https://make.wordpress.org/core/2021/06/29/introducing-update-uri-plugin-header-in-wordpress-5-8/
Scores
CVSS v3
8.1
EPSS
0.2749
EPSS Percentile
96.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (1)
wordpress/wordpress
< 5.8
Published
Nov 25, 2021
Tracked Since
Feb 18, 2026