WordPress before 5.8 lacks support for the Update URI plugin header. This makes it easier for remote attackers to execute arbitrary code via a supply-chain attack against WordPress installations that use any plugin for which the slug satisfies the naming constraints of the WordPress.org Plugin Directory but is not yet present in that directory.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_name": "wordpress", "binary_version": "5.8.1+dfsg1-2ubuntu1" }, { "binary_name": "wordpress-l10n", "binary_version": "5.8.1+dfsg1-2ubuntu1" }, { "binary_name": "wordpress-theme-twentynineteen", "binary_version": "5.8.1+dfsg1-2ubuntu1" }, { "binary_name": "wordpress-theme-twentytwenty", "binary_version": "5.8.1+dfsg1-2ubuntu1" }, { "binary_name": "wordpress-theme-twentytwentyone", "binary_version": "5.8.1+dfsg1-2ubuntu1" } ] }