Tuesday, 31 October 2017

The popular website content management system, WordPress has an important security patch out today that fixes an error left in the release of 4.8.2.


The default core installation of WordPress is not directly affected, rather the bug is in a security function provided by the core to plugins and themes. In other words, a bug in the core leaves plugins and themes potentially at risk of being hacked, leading to whole sites being hacked.

Also, crafting a patch to the address the blunder without breaking tons of add-ons for WordPress turned out to be problematic, delaying the release of
"WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi)," the official advisory today warned. "WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability."

According to  Anthony Ferrara, VP of engineering at Lingo Live, WordPress 4.8.2 was released last month in an attempt to shore up its $wpdb->prepare() code, but that update was not coded particularly well. As well as not fully addressing the underlying flaw, the update also broke "a metric ton of third-party code and sites – an estimated 1.2 million lines of code affected," Ferrara said.

Ferrara immediately warned the WordPress team that the 4.8.2 patch was insufficient and liable to break add-ons for the software; we're told the project initially refused to take him seriously. It only backed down – and prepared a better fix that doesn't break everything, like version 4.8.3 – when he provided proof-of-concept exploit code for the lingering hole, and threatened to go public, all according to Ferrara.

"One of our struggles here, as it often is in security, is how to secure things while also breaking as little as possible," Ferrara quoted the WordPress team as saying.

The WordPress team later thanked the researcher for practicing responsible disclosure.

You can find more technical details on the vulnerability, here. In any case, make sure you install or upgrade to version 4.8.3 on your websites to avoid being hacked via your plugins and themes.

Trending Posts

Blog Archive

Subscribe by email

Enter your email address:

Subscribe to more feeds

Tags

News (73) Web Hosting (48) Email (28) security (22) Advertising (17) webmail (17) Tutorials (16) Thexyz Cloud (14) Video (5) resellers (2)