Why you need to update to WordPress 4.8.3 immediately

This advice comes from the WordPress Foundation and Anthony Ferrara, VP of engineering at Lingo Live, who discovered a SQL injection vulnerability in WordPress that could be exploited.  This exploitation could allow scripts to take over the site running and thus poses a serious security issue.

Details about the vulnerability found

“WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability,” the WordPress Foundation explained.

Ferrara published technical details about the flaw, and explained that it was initially discovered by someone else months ago.

His discovery was related to a poor fix that was pushed out by the Foundation in WordPress v4.8.2. Not only did the fix break a lot of sites that used an undocumented functionality that was removed, but it didn’t fix the root issue, just a narrow subset of the potential exploits.

How to fix the issue

“The 4.8.3 patch mitigates the extent of the issues I could find, and I believe is the second best way to fix the issue (with the first being a much more complex and time consuming change that still needs to happen),” Ferrara noted.

Ferrera also advises updating any plugins that override $wpdb (like HyperDB, LudicrousDB , etc).  As noted before, site owners should upgrade to WP 4.8.3 as soon as possible.

Updating WordPress core is simple: go to Dashboard → Updates and choose the “Update Now” option. It’s always good practice to backup your site prior to an update just incase.

Here at WP Sanctuary, we offer complete WordPress Maintenance services which include backups plus all your regular updates (WP core, plugins, themes) and more with every plan. Check out the full range of WP management features.

Hosts should upgrade wp-db.php for clients. “There may be some firewall rules in the mean time that you could implement (such as blocking % and other sprintf() values), but your mileage may vary,” Ferrera added.