9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
WordPress versions 3.7 to 5.7.1 were using a vulnerable version of the PHPMailer library, which was affected by a PHP Object Injection vulnerability through Phar Deserialization via addAttachment with a UNC pathname. To fix the vulnerability the PHPMailer library was updated from version 6.4.0 to 6.4.1. The PHPMailer library developers state that, “PHPMailer versions between 6.1.8 and 6.4.0 contain a regression of the earlier CVE-2018-19296 object injection vulnerability as a result of a fix for Windows UNC paths in 6.1.8. Recorded as CVE-2020-36326. Reported by Fariskhi Vidyan via Tidelift. 6.4.1 fixes this issue, and also enforces stricter checks for URL schemes in local path contexts.” To ensure that your WordPress website is secure against this vulnerability, update to version 5.7.2, or another patched minor version listed below.
github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9
github.com/WordPress/WordPress/commit/267061c9595fedd321582d14c21ec9e7da2dcf62
wordpress.org/news/2021/05/wordpress-5-7-2-security-release/
www.wordfence.com/blog/2021/05/wordpress-5-7-2-security-release-what-you-need-to-know/
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P