A bug discovered in WordPress allows attackers to trigger an SQL injection attack leading to complete website hijacking.
The vulnerability was discovered in the WordPress content management system (CMS) versions 4.8.2 and below. On Tuesday, WordPress announced the launch of version 4.8.3 as a security release which mitigates the security flaw.
WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.
Ferrara, VP of engineering at Lingo Live, who published technical details about the flaw, and explained that it was initially discovered by someone else months ago.
His discovery was related to a poor fix that was pushed out by the Foundation in WordPress v4.8.2. Not only did the fix break a lot of sites that used an undocumented functionality that was removed, but it didn’t fix the root issue, just a narrow subset of the potential exploits.
“The 4.8.3 patch mitigates the extent of the issues I could find, and I believe is the second best way to fix the issue (with the first being a much more complex and time consuming change that still needs to happen),” Ferrara noted.