“IMPORTANT: I will be disclosing a massive WP SQLi vulnerability soon. I have no confidence WP will fix correctly and hence no choice but FD” -ircmaxell
Source: https://twitter.com/ircmaxell/status/923662170092638208
Let’s watch and patch accordingly?
3 Likes
“Reported by Anthony Ferrara.”
The patch, for those curious enough:
[41496] removed support for numbered placeholders in queries send through `wpdb::prepare()`, which, despite being undocumented, were quite commonly used.
This change restores support for numbered placeholders (as well as a subset of placeholder formatting), while also adding extra checks to ensure the correct number of arguments are being passed to `wpdb::prepare()`, given the number of placeholders.
Merges [41662], [42056] to the 4.8 branch.
See #41925.
Built from https://develop.svn.wordpress.org/branches/4.8@42057
git-svn-id: http://core.svn.wordpress.org/branches/4.8@41886 1a063a9b-81f0-0310-95a4-ce76da25c4cd
changed 3 files
with 154 additions
and 36 deletions .
1 Like
The all ircmaxell thread all the time.
Technical:
Today, a significant SQL-Injection vulnerability was fixed in WordPress 4.8.3. Before reading further, if you haven’t updated yet stop right now and update. The foundations of this vulnerability was r
Yakety Sax :
Today, a significant SQL-Injection vulnerability was fixed in WordPress 4.8.3. Before reading further, if you haven’t updated yet stop right now and update. The foundations of this vulnerability was r
3 Likes
Good to see Anthony got WP core security to finally acknowledge and patch the issue. Too bad someone as respected as him had to threaten public Full Disclosure in order to get it done
2 Likes