WordPress patches SQL injection bug in security release

Webmasters should update immediately to prevent website takeovers.
Written by Charlie Osborne, Contributing Writer

A bug discovered in WordPress allows attackers to trigger an SQL injection attack leading to complete website hijacking.

The vulnerability was discovered in the WordPress content management system (CMS) versions 4.8.2 and below. On Tuesday, WordPress announced the launch of version 4.8.3 as a security release which mitigates the security flaw.

The CMS provider "strongly encourage[s] you to update your sites immediately."

The vulnerability, CVE-2017-14723, occurs as WordPress versions 4.8.2 and earlier mishandles certain characters, which can lead to $wpdb->prepare() creating "unexpected and unsafe queries" which can lead to potential SQL injection attacks.

"WordPress core is not directly vulnerable to this issue, but we've added hardening to prevent plugins and themes from accidentally causing a vulnerability," WordPress says.

The vulnerability was reported by security researcher Anthony Ferrara through the HackerOne bug bounty platform on September 20th.

The problem was discovered in a fix released by WordPress in 4.8.2 that didn't actually resolve a core security issue and also impacted functionality for many websites, breaking an estimated 1.2 million lines of code in the process.

A day after the release, Ferrara reported the bug, but says the notice was "ignored for several weeks."

After notifying the WordPress team that he intended to disclose the issue publicly, WordPress then gave the researcher its attention, and after five weeks, frustration on the researcher's part and miscommunication issues, the Wordpress team and Ferrara were able to negotiate a time for public release.

WordPress and Ferrara worked together to then create a fix which mitigates the issue -- although the researcher says that more needs to be done to completely resolve the problems the previous patch caused.

Ferrara said:

"The correct fix is to ditch this whole prepare mechanism (which returns a string SQL query). Do what basically everyone else does and return a statement/query object or execute the query directly. That way you can't double-prepare a string.

It's worth saying that this would be a major breaking change for WP.

It doesn't need to be (and in practice shouldn't) overnight - they can do it in parallel with the existing API, deprecating the old one and removing in time - but it does need to happen.

The current system is insecure-by-design. That doesn't mean it's always hackable, but it means you have to actively work to make it not attackable."

"The core issue is mitigated," Ferrara added. "My perspective of the interaction was frustrating at first, but got far better towards the end. I was disappointed for a good part of the past 6 weeks. I'm now cautiously hopeful."

Users can update automatically or download WordPress 4.8.3 to manually update.

In September, WordPress fixed a cross-site scripting vulnerability and a path traversal security flaw in a security patch.

Must-have mobile apps to encrypt your texts and calls

Previous and related coverage

Editorial standards