WordPress admins, beware. Websites running on WordPress version 4.8.2 and earlier should update immediately to version 4.8.3. Security researcher Anthony Ferrara has reported an SQL injection vulnerability in the platform allowing for websites to be taken over and exploited. Even though the bug was just made public, the foundation of it was reported via Hacker-One on September 20th, 2017.
More about the WordPress SQL Flaw
The above mentioned versions of WordPress are prone to an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). Even though WP core is not directly exposed to the issue, the immediate upgrade is obligatory. WordPress has added hardening to prevent plugins and themes from accidentally causing a flaw, WordPress researchers said.
As for Anthony Ferrara’s discovery, he said it was related to a poor fix that was pushed out by WordPress in version 4.8.2. The fix broke a ton of websites that used an undocumented functionality that was removed. The fix, however, didn’t fix the root issue.
“The 4.8.3 patch mitigates the extent of the issues I could find, and I believe is the second best way to fix the issue (with the first being a much more complex and time consuming change that still needs to happen),” the researcher added.
As mentioned in the beginning, website admins are urged to upgrade to WordPress v4.8.3 immediately. The researcher’s advice is towards admins is to pay attention to plugins that override $wpdb (like HyperDB, LudicrousDB , etc). They should be updated as well.
To update your WordPress to the latest, safest version, just go to Dashboard and select Updates. Everything that needs updating will be listed there, plugins inclusive. Keep in mind that if you have opted to get automatic background updates, your website is already up-to-date.
Another thing to keep in mind is that hosts should upgrade should upgrade wp-db.php for clients.