WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723.
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
| Link | Tags |
|---|---|
| https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d | issue tracking patch vendor advisory |
| https://www.debian.org/security/2018/dsa-4090 | vendor advisory |
| https://lists.debian.org/debian-lts-announce/2017/11/msg00003.html | mailing list |
| http://www.securityfocus.com/bid/101638 | vdb entry third party advisory |
| https://wpvulndb.com/vulnerabilities/8941 | issue tracking vendor advisory |
| https://codex.wordpress.org/Version_4.8.3 | issue tracking vendor advisory |
| https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html | issue tracking third party advisory |
| https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/ | issue tracking vendor advisory |