A bug exploitable in WordPress 4.8.2 and earlier creates unexpected and unsafe conditions ripe for a SQL injection attack, exposing sites created on the content management system to takeover.
WordPress released WordPress 4.8.3 Tuesday, which mitigates the vulnerability.
“This is a security release for all previous versions and we strongly encourage you to update your sites immediately,” according to WordPress. The vulnerability is not tied to the WordPress Core, rather plugins and themes that could be used to trigger a SQL injection attack, WordPress said.
The 4.8.3 update fixes a previous release made available on Sept. 19.
“Worst case would be remote code execution where they could take over installs of WordPress and the servers they are running on,” said Anthony Ferrara, the researcher who identified the flawed WordPress 4.8.2 patch.
The roots of the SQL injection date back to a vulnerability (CVE-2017-14723) first reported on Sept. 17, 2017. WordPress then attempted to mitigate the vulnerability with WordPress 4.8.2. That patch did not fix the issue, worsened the underlying security vulnerability and “broke” a large undisclosed number of third-party WordPress plugins.
“Our plugin broke,” said Matt Barry, a lead developer at WordFence. “The initial WordPress fix created huge headaches for plugin developers like us.”
On Sept. 20, Ferrara reported through the HackerOne bug bounty platform the fix was incomplete.
“I filed a security vulnerability report and notify them the fix isn’t a fix and suggest they should revert and fix properly (with included details on how to fix),” according to a post outlining the disclosure on Ferrara’s personal blog.
After going back and forth with WordPress for weeks, Ferrara said on Oct. 16 he announced his intent for public disclosure. More back and forth ensued, and on Oct. 20 he said WordPress told Ferrara it was “working on it” and discussing details of the fix. After 11 more days of hammering out the technical details of that fix, on Oct. 31 the 4.8.2 patch was released.
The vulnerability itself affects WordPress versions 4.8.2 and earlier. The issue occurred because where “$wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection,” describes WordPress.
The root issue is that the prepare system is poorly designed and needed to be fixed, Ferraray said. He said a patch to remove the “double prepare” from meta.php was eventually delivered, mitigating the vulnerability.
“These types of fixes can be tricky,” Barry said. Plugins are often the friendly-fire casualties for these types of WordPress patches, he said.
“The core issue is mitigated. My perspective of the interaction was frustrating at first, but got far better towards the end,” Ferraray said in his blog. “I was disappointed for a good part of the past six weeks. I’m now cautiously hopeful.”