WordPress users advised to update to version 4.8.3 following discovery of SQL injection vulnerability
Anyone running a website powered by WordPress is being told to upgrade to version 4.8.3 immediately after the discovery of a serious security issue.
The problem -- an SQL injection vulnerability -- affects millions of websites running WordPress 4.8.2 and older. In addition to installing the latest update, site owners are advised to update plugins that could be exploited.
The vulnerability was discovered by Anthony Ferrara from Lingo Live who broke the news by saying: "Before reading further, if you haven’t updated yet stop right now and update."
The SQL injection bug was supposedly fixed by WordPress 4.8.2 last month, but in reality this particular update caused problems with a large number of sites and did not address the root cause of the vulnerability. Ferrara says he informed WordPress about the issue immediately after the release of the last update, but his advice went unheeded.
Now, with WordPress 4.8.3, the security hole has been plugged. Ferrara says:
Simply upgrade to 4.8.3 and update any plugins that override $wpdb (like HyperDB, LudicrousDB , etc). That should be enough.
Over on the WordPress website, Gary Pendergest thanks Ferrara and explains the problem:
WordPress 4.8.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Anthony Ferrara.
This release includes a change in behaviour for the esc_sql() function. Most developers will not be affected by this change, you can read more details in the developer note.