WordPress < 4.8.3 Vulnerable To SQL Injection (SQLI) Exploit

Haythem Elmir

A security researcher named “Anthony Ferrara” has found a critical SQL Injection (SQLI) vulnerability in the WordPress CMS. According to WordPress team, the vulnerability exists in all previous versions of the CMS, Whereas the vulnerability has been patched in the latest WordPress version 4.8.3 released which was released yesterday. Therefore, WordPress has strongly encouraged all it’s CMS users to upgrade their scripts to the latest version as soon as possible.

WordPress reported that the issue comes from $wpdb->prepare(), which can create unexpected and unsafe queries leading to an SQL Injection (SQLI). WordPress team have said that the vulnerability is not in the core script, but can be caused by plugins and themes using $wpdb->prepare(). WordPress had been made changes to the esc_sql() function to prevent SQL Injection queries, However the changes wont have any effects on WordPress developers.

The vulnerability founder, Anthony Ferrara shared a story on his blog on how he got WordPress team to pay attention to the bug reported. Although WordPress had literally ignored the bug, thinking it wasn’t a vulnerability. After Anthony Ferrara asked permission for disclosing the vulnerability to the public, WordPress team decided to have another look into the reported vulnerability, which then was found to be a serious flaw.
To read the original article :


Laisser un commentaire

Next Post

Highly Critical Flaw (CVSS Score 10) Lets Hackers Hijack Oracle Identity Manager

A highly critical vulnerability has been discovered in Oracle’s enterprise identity management system that can be easily exploited by remote, unauthenticated attackers to take full control over the affected systems. The critical vulnerability tracked as CVE-2017-10151, has been assigned the highest CVSS score of 10 and is easy to exploit […]