On Tuesday, WordPress announced the launch of version 4.8.3 as a security release which mitigates the security flaw.
“Today, a significant SQL-Injection vulnerability was fixed in WordPress 4.8.3. Before reading further, if you haven’t updated yet stop right now and update.”
The advice comes from the WordPress Foundation and Anthony Ferrara, VP of engineering at Lingo Live, who discovered the WordPress flaw that allows attackers to trigger an SQL injection attack leading to complete website hijacking. The vulnerability was discovered in the versions 4.8.2 and below.
Ferrara published technical details about the flaw and explained that it was initially discovered by someone else months ago.
The vulnerability, CVE-2017-14723, occurs as WordPress versions 4.8.2 and earlier mishandles certain characters.
“WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability,” the Foundation explained.
Ironically, the release last month of WordPress 4.8.2 was intended to protect against the vulnerability, but – according to Ferrera – it actually “broke a lot of sites” and “didn’t actually fix the root issue (but just a narrow subset of the potential exploits)”.
The CMS provider “strongly encourage[s] you to update your sites immediately.”
Ferrera says that he informed the WordPress team of the problem straight after the release of 4.8.2, but was effectively “ignored for several weeks.”
Not only did the fix break a lot of sites that used an undocumented functionality that was removed, but it didn’t fix the root issue, just a narrow subset of the potential exploits.