Quick heads-up to all self-hosted WordPress users, managers, etc. The WordPress security team just released WordPress 5.7.2 to address a specific security issue that affects all versions between 3.7 and 5.7.
WordPress 5.7.2 Security Release
The security issue that is being addressed or patched by this release is the Object injection in PHPMailer which is listed and described as follows in the National Vulnerability Database of NIST or the National Institute of Standards & Technology:
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
As with any WordPress security release, it is strongly recommended to update or upgrade your WordPress installation ASAP. It’s better to be safe than sorry. Avoid headaches and stress. Don’t learn the hard way. Upgrade now while you can and don’t wait until something bad happens to your site.
If you have set up automatic background updates for your WordPress installation, then you don’t have to do anything. The site will be automatically upgraded to the latest version. For those who haven’t enabled automatic background updates or not familiar with this feature, you can do so by logging in to your WordPress Dashboard > Updates and then click Update Now.
Kudos to the members of the WordPress security team for promptly addressing this security issue and releasing the fix.
Have you already upgraded your WordPress site to WordPress 5.7.2? If not, what are you waiting for? Do it now!