If a WordPress installation uses a plugin that is not uploaded to the WordPress Plugin store, maliciously claiming an identically named plugin and uploading it to the store could trigger an update resulting in a complete takeover of the installation.

The issue was discovered in the WordPress 5.8 release cycle and fixed therein by introducing a new mechanism to prevent plugin confusion. It was not backported to older major versions and as such any older system is potentially vulnerable.

Since the exploitation of the vulnerability depends on plugins that are not yet known to the registry, this issue may not be exploitable if such plugins are not present.

Nevertheless it is generally recommended to upgrade to the latest major WordPress version since older versions are not guaranteed to receive security updates.