Light Dark
November 2, 2017 By Larry Loeb 2 min read

With its latest release, WordPress included a security patch that greatly improved the platform’s resistance to SQL injections, which can enable threat actors to gain control of a site.

The release of version 4.8.3 follows a previous update that failed to mitigate the same issue and caused additional problems for developers, reported Anthony Ferrara, a security researcher and vice president of engineering at Lingo Live. Ferrara noted that while the previous fix addressed certain behaviors that could be abused, it still contained vulnerabilities that enabled malicious plugin and theme developers to carry out SQL injection.

Mitigating the Threat of SQL Injection

Ferrara’s concern centered around the use of the prepare function used in queries. The placeholders in the query code could be tricked to represent characters that changed the intended program flow. The 4.8.2 fix basically put a filter in front of the query functions to eliminate all unapproved characters, which forced the specific behavior shown in the original vulnerability to cease.

Still, Ferrara felt the true problem was that WordPress had passed user input to the query side of the prepare function, even if it had passed through an escape function such as the 4.8.2 filter. Therefore, the “double prepare” function was fundamentally problematic, since it could lead to an unsafe value being placed into the final query.

A Conflict of Interest

According to SecurityWeek, Ferrara implored plugin developers and hosting providers to patch their products to protect against the flaw. This likely prompted WordPress, which had been reticent to release a patch too hastily due to concerns that it might break certain functions, to prioritize the vulnerability and issue a more thorough fix with version 4.8.3. The new update includes an additional check for double prepares.

This scenario illustrates the conflicting priorities of those who develop products and those who must support them. Developers may be reluctant to perform additional designs solely to compensate for security flaws, but vendors cannot subject their users to known vulnerabilities. That’s why it’s critical to strike the right balance between security and the user experience.

 |  |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

November 15, 2024

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

November 14, 2024

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

November 13, 2024

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature