On October 30, 2017, WordPress released WordPress 4.8.3, in which an important SQL injection vulnerability was fixed. An issue in $wpdb encoding allows WordPress to receive and run insecure queries, resulting in potential SQL injection and high security risks.
See the following for more information about the vulnerability.
WPDB SQL injection vulnerability in all versions of WordPress
$wpdb->prepare() can receive and run insecure queries, resulting in potential SQL injection. However, WordPress core is not directly vulnerable to this issue.
Condition and method of exploitation
The vulnerability can be remotely exploited through PoC.
WordPress < 4.8.3
Check whether any affected version of WordPress is used.
How to fix or mitigate
Select Update on the backend dashboard of WordPress to upgrade WordPress to the latest official version 4.8.3.
Alternatively, use Alibaba Cloud Security WAF for defense.