WordPress site admins: Update immediately!
If you’re running your website on WordPress and you haven’t yet upgraded to version 4.8.3, you should do so without delay.
The advice comes from the WordPress Foundation and Anthony Ferrara, VP of engineering at Lingo Live, who flagged a SQL injection vulnerability in the popular CMS that could be exploited to take over sites running on it.
About the vulnerability
“WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability,” the Foundation explained.
Ferrara published technical details about the flaw, and explained that it was initially discovered by someone else months ago.
His discovery was related to a poor fix that was pushed out by the Foundation in WordPress v4.8.2. Not only did the fix break a lot of sites that used an undocumented functionality that was removed, but it didn’t fix the root issue, just a narrow subset of the potential exploits.
“The 4.8.3 patch mitigates the extent of the issues I could find, and I believe is the second best way to fix the issue (with the first being a much more complex and time consuming change that still needs to happen),” Ferrara noted.
Advice for WordPress users
As noted before, site owners should upgrade to WP 4.8.3 as soon as possible. Ferrera also advises updating any plugins that override $wpdb (like HyperDB, LudicrousDB , etc).
Updating WordPress installations is easy: go to Dashboard → Updates and select the “Update Now” option. Those who have opted to receive automatic background updates don’t have to do that – their WP installation has probably already been updated.
Hosts should upgrade wp-db.php for clients. “There may be some firewall rules in the mean time that you could implement (such as blocking % and other sprintf() values), but your mileage may vary,” Ferrera added.