WordPress 5.7.1 fixes a PHP 8 XXE flaw

WordPress's famous content management system (CMS) has been updated to version 5.7.1, which includes over 25 bug fixes and patches for two security vulnerabilities.

An XML External Entity (XXE) vulnerability in the ID3 library in PHP 8, which is used by WordPress, is one of the security bugs that has been patched. The vulnerability, identified as CVE-2021-29447, is of high severity.

The library, which was designed to decode ID3 tags from MP3 audio files, didn't specifically disable XML entities in PHP 8, making WordPress 5.7 and earlier versions vulnerable to XXE attacks via MP3 file uploads.

The vulnerability was discovered in August 2020 and could be used by someone with the ability to upload files. Only WordPress installations that use PHP 8 (0.3 percent) are vulnerable, so the vast majority of websites are protected from exploit attempts.

SonarSource, a code quality and security company that also specialises in PHP code testing, confirmed the error.

The second vulnerability, which affects the REST API, may be used to gain access to sensitive information. The security flaw, identified as CVE-2021-29450 and documented by Mikael Korpela, is of medium severity.

According to WordPress, the flaw occurs in a block in the WordPress editor that attackers might use to reveal password-protected posts and pages. The attacker must have at least contributor privileges to successfully exploit the bug.

WordPress developers are considering classifying Google's Federated Learning of Cohorts (FLoC) as a security threat and automatically blocking it on websites in order to improve the security of the platform.

FLoC, which is intended to replace third-party cookies, adds interest-based advertising to the mix, which divides users into broad categories based on their preferences, giving advertisers new ways to target them with advertisements.

Although FLoC is more private than cookies, it does have its own privacy consequences, such as tracking users and sharing data about their browsing habits with third parties. WordPress powers nearly half of all websites, and its creators are concerned about FLoC as a potential security risk to users' personal information.

WordPress, on the other hand, isn't the only online agency that sees FLoC as a possible privacy risk. Although Google has included the feature in Chrome, it has yet to be implemented by other browser vendors.

The Cybersecurity and Infrastructure Protection Agency (CISA) issued an advisory on Friday warning that the vulnerabilities discussed in WordPress 5.7.1 affect versions 4.7 to 5.7, and that attackers who successfully exploit either of these vulnerabilities could take control of an affected website.