logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

WordPress <= 4.8.2 - $wpdb->prepare() Weakness

Description

WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Anthony Ferrara.

Affects WordPresses

3.8.1

Fixed in version 3.8.23

3.8

Fixed in version 3.8.23

3.7.1

Fixed in version 3.7.23

3.6

Fixed in version 4.8.3

3.5.2

Fixed in version 4.8.3

3.5.1

Fixed in version 4.8.3

3.5

Fixed in version 4.8.3

3.4.2

Fixed in version 4.8.3

3.4.1

Fixed in version 4.8.3

3.4

Fixed in version 4.8.3

References

CVE

CVE-2017-16510

URL

https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/

URL

https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d

URL

https://twitter.com/ircmaxell/status/923662170092638208

URL

https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

ethicalhack3r

Verified

No

WPVDB ID

c161f0f0-6527-4ba4-a43d-36c644e250fc

Timeline

Publicly Published

2017-10-31 (about 3 years ago)

Added

2017-10-31 (about 3 years ago)

Last Updated

2020-09-22 (about 10 months ago)

Our Other Services

WPScan WordPress Security Plugin