Months-old SQL injection flaw patched

WordPress site owners have been urged to upgrade to version 4.8.3 immediately, as details emerge of an SQL injection vulnerability affecting themes and plugins running on the platform.

“WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection,” the company’s Gary Pendergast said in a security alert.

“WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.”

The issue was flagged by Anthony Ferrara, vice president of engineering at Lingo Live, who said the foundations of the flaw were originally spotted “many months ago” by someone else.

Ferrara’s discovery was related to an inadequate fix that was pushed out by WordPress in version 4.8.2. Not only did the original ‘fix’ break many sites, it only mitigated against a narrow subset of potential exploits.

Providing a timeline of events, he said: “I reported a new vulnerability the day after the 4.8.2 was released. It was ignored for several weeks. Finally, when I got the attention of the team, they wanted to fix a subset of the issue I reported.

“It became clear to me that releasing a partial fix was worse than no fix. So I decided the only way to make the team realize the full extent was to Full Disclosure the issue.”

The security release includes a change in behavior for the esc_sql() function. While WordPress said most developers will not be affected by this change, those who are impacted can find mitigation details in the accompanying technical notes.