If you’re running your website on WordPress and you haven’t yet upgraded to version 4.8.3, you should do so without delay. The advice comes from the WordPress Foundation and Anthony Ferrara, VP of engineering at Lingo Live, who flagged a SQL injection vulnerability in the popular CMS that could be exploited to take over sites running on it. WordPress 4.8.3 is now available.
This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Anthony Ferrara. This release includes a change in behaviour for the esc_sql() function.
Most developers will not be affected by this change, you can read more details in the developer note. Ferrara published technical details about the flaw, and explained that it was initially discovered by someone else months ago. His discovery was related to a poor fix that was pushed out by the Foundation in WordPress v4.8.2. Not only did the fix break a lot of sites that used an undocumented functionality that was removed, but it didn’t fix the root issue, just a narrow subset of the potential exploits. “The 4.8.3 patch mitigates the extent of the issues I could find, and I believe is the second best way to fix the issue (with the first being a much more complex and time consuming change that still needs to happen),” Ferrara noted.
Advice for WordPress users As noted before, site owners should upgrade to WP 4.8.3 as soon as possible. Ferrera also advises updating any plugins that override $wpdb (like HyperDB, LudicrousDB , etc). Updating WordPress installations is easy: go to Dashboard → Updates and select the “Update Now” option. Those who have opted to receive automatic background updates don’t have to do that – their WP installation has probably already been updated. Hosts should upgrade wp-db.php for clients. “There may be some firewall rules in the mean time that you could implement (such as blocking % and other sprintf() values), but your mileage may vary,” Ferrera added.
Don’t leave yourself exposed. Find your vulnerabilities before cybercriminals do. Contact us for Vulnerability Assessment and Penetration Testing.