On October 31st 2017 WordPress announced the release of version 4.8.3, a security update for all previous versions of WordPress. It is strongly advised that all WordPress sites be updated immediately, as this release includes fixes for recently disclosed vulnerabilities in versions 4.8.2 and earlier.
The security update fixes an issue in all previous versions where the $wpdb->prepare() can create unexpected and unsafe queries which may lead to potential SQL injection (SQLi) ,
and if exploited by an attacker could allow them to take control of WordPress-powered websites. WordPress have stated that their core offering is not directly vulnerable to this issue, and that as part of the latest release, hardening has been added to prevent site plugins and themes from accidentally causing a vulnerability.
Note: This release includes a change in behaviour for the esc_sql() function. Most developers will not be affected by this change however
there is a blog post which can provide further information on the WordPress website.
Our Recommendation
Ward Solutions strongly recommends that all customers using WordPress immediately review their websites for vulnerability to the above-listed exploit, and to patch to 4.8.3 as soon as possible.
Details on how to upgrade WordPress are available on the advisory notice issued by the company. For those sites whose WordPress instances are set to auto update, Ward would recommend due to the criticality of the vulnerability that administrators manually confirm the update was completed successfully.
If you have any concerns regarding WordPress or other potential weaknesses in your IT security, talk to the experts. E-mail: grainne@ward.ie and a member of our experienced team will help.
Further reading:
1 https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
2 https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
3 https://make.wordpress.org/core/2017/10/31/changed-behaviour-of-esc_sql-in-wordpress-4-8-3/
4 https://www.cvedetails.com/cve/CVE-2017-14723/
-
Insights