WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Vulnerabilities

WP < 6.0.3 - SQLi in WP_Date_Query

Description

WP does not properly sanitize the relation passed to WP_Date_Query, which could lead to SQL injection

Affects WordPress

6.0.2
Fixed in version 6.0.3
6.0.1
Fixed in version 6.0.3
6.0
Fixed in version 6.0.3
5.9.4
Fixed in version 5.9.5
5.9.3
Fixed in version 5.9.5
5.9.2
Fixed in version 5.9.5
5.9.1
Fixed in version 5.9.5
5.9
Fixed in version 5.9.5
5.8.5
Fixed in version 5.8.6
5.8.4
Fixed in version 5.8.6

References

URL
https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release/
URL
https://github.com/WordPress/wordpress-develop/commit/d815d2e8b2a7c2be6694b49276ba3eee5166c21f

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Michael Mazzolini

Verified

Yes

WPVDB ID
1da03338-557f-4cb6-9a65-3379df4cce47

Timeline

Publicly Published

2022-10-17 (about 3 months ago)

Added

2022-10-19 (about 3 months ago)

Last Updated

2022-10-19 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin