A security researcher named “Anthony Ferrara” has found a critical SQL Injection (SQLI) vulnerability in the WordPress CMS. According to WordPress team, the vulnerability exists in all previous versions of the CMS, Whereas the vulnerability has been patched in the latest WordPress version 4.8.3 released which was released yesterday. Therefore, WordPress has strongly encouraged all it’s CMS users to upgrade their scripts to the latest version as soon as possible.
WordPress reported that the issue comes from $wpdb->prepare(), which can create unexpected and unsafe queries leading to an SQL Injection (SQLI). WordPress team have said that the vulnerability is not in the core script, but can be caused by plugins and themes using $wpdb->prepare(). WordPress had been made changes to the esc_sql() function to prevent SQL Injection queries, However the changes wont have any effects on WordPress developers.
The vulnerability founder, Anthony Ferrara shared a story on his blog on how he got WordPress team to pay attention to the bug reported. Although WordPress had literally ignored the bug, thinking it wasn’t a vulnerability. After Anthony Ferrara asked permission for disclosing the vulnerability to the public, WordPress team decided to have another look into the reported vulnerability, which then was found to be a serious flaw.
To read the original article :