November 2, 2017 By Larry Loeb 2 min read

With its latest release, WordPress included a security patch that greatly improved the platform’s resistance to SQL injections, which can enable threat actors to gain control of a site.

The release of version 4.8.3 follows a previous update that failed to mitigate the same issue and caused additional problems for developers, reported Anthony Ferrara, a security researcher and vice president of engineering at Lingo Live. Ferrara noted that while the previous fix addressed certain behaviors that could be abused, it still contained vulnerabilities that enabled malicious plugin and theme developers to carry out SQL injection.

Mitigating the Threat of SQL Injection

Ferrara’s concern centered around the use of the prepare function used in queries. The placeholders in the query code could be tricked to represent characters that changed the intended program flow. The 4.8.2 fix basically put a filter in front of the query functions to eliminate all unapproved characters, which forced the specific behavior shown in the original vulnerability to cease.

Still, Ferrara felt the true problem was that WordPress had passed user input to the query side of the prepare function, even if it had passed through an escape function such as the 4.8.2 filter. Therefore, the “double prepare” function was fundamentally problematic, since it could lead to an unsafe value being placed into the final query.

A Conflict of Interest

According to SecurityWeek, Ferrara implored plugin developers and hosting providers to patch their products to protect against the flaw. This likely prompted WordPress, which had been reticent to release a patch too hastily due to concerns that it might break certain functions, to prioritize the vulnerability and issue a more thorough fix with version 4.8.3. The new update includes an additional check for double prepares.

This scenario illustrates the conflicting priorities of those who develop products and those who must support them. Developers may be reluctant to perform additional designs solely to compensate for security flaws, but vendors cannot subject their users to known vulnerabilities. That’s why it’s critical to strike the right balance between security and the user experience.

More from

Is the water safe? The state of critical infrastructure cybersecurity

4 min read - On September 25, CISA issued a stark reminder that critical infrastructure remains a primary target for cyberattacks. Vulnerable systems in industrial sectors, including water utilities, continue to be exploited due to poor cyber hygiene practices. Using unsophisticated methods like brute-force attacks and leveraging default passwords, threat actors have repeatedly managed to compromise operational technology (OT) and industrial control systems (ICS).Attacks on the industrial sector have been particularly costly. The 2024 IBM Cost of a Data Breach report found the average total…

Cybersecurity trends: IBM’s predictions for 2025

4 min read - Cybersecurity concerns in 2024 can be summed up in two letters: AI (or five letters if you narrow it down to gen AI). Organizations are still in the early stages of understanding the risks and rewards of this technology. For all the good it can do to improve data protection, keep up with compliance regulations and enable faster threat detection, threat actors are also using AI to accelerate their social engineering attacks and sabotage AI models with malware.AI might have…

Cloud threat report: Why have SaaS platforms on dark web marketplaces decreased?

3 min read - IBM’s X-Force team recently released the latest edition of the Cloud Threat Landscape Report for 2024, providing a comprehensive outlook on the rise of cloud infrastructure adoption and its associated risks.One of the key takeaways of this year’s report was focused on the gradual decrease in Software-as-a-Service (SaaS) platforms being mentioned across dark web marketplaces. While this trend potentially points to more cloud platforms increasing their defensive posture and limiting the number of exploits or compromised credentials that are surfacing,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today