edit-icon download-icon

[Vulnerability notice] WPDB SQL injection vulnerability in all versions of WordPress

Last Updated: Apr 08, 2018

On October 30, 2017, WordPress released WordPress 4.8.3, in which an important SQL injection vulnerability was fixed. An issue in $wpdb encoding allows WordPress to receive and run insecure queries, resulting in potential SQL injection and high security risks.

See the following for more information about the vulnerability.


CVE identifier

None

Vulnerability name

WPDB SQL injection vulnerability in all versions of WordPress

Vulnerability rating

High

Vulnerability description

$wpdb->prepare() can receive and run insecure queries, resulting in potential SQL injection. However, WordPress core is not directly vulnerable to this issue.

Condition and method of exploitation

The vulnerability can be remotely exploited through PoC.

PoC status

Unpublished

Affected scope

WordPress < 4.8.3

Vulnerability detection

Check whether any affected version of WordPress is used.

How to fix or mitigate

  • Select Update on the backend dashboard of WordPress to upgrade WordPress to the latest official version 4.8.3.

  • Alternatively, use Alibaba Cloud Security WAF for defense.

Reference

[1]. https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
[2]. https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html

Thank you! We've received your feedback.