CVE-2021-29504

Name of the Vulnerable Software and Affected Versions: WP-CLI versions 0.12.0 through 2.4.x

Description: An improper error handling in HTTPS requests management allows remote attackers to intercept the communication and disable certificate verification, gaining full control over the communication content. This includes the ability to impersonate update servers and push malicious updates towards WordPress instances or WP-CLI itself. The issue stems from the default behavior of WP CLIUtilshttp request() when encountering a TLS handshake error, which is to disable certificate validation and retry the request.

Recommendations: For WP-CLI versions 0.12.0 through 2.4.x, update to version 2.5.0 or later to resolve the issue. As a temporary workaround for dealing with the breaking change in commands directly affected by the new secure default behavior, add the --insecure flag to manually opt-in to the previous insecure behavior.