November 2, 2017 By Larry Loeb 2 min read

With its latest release, WordPress included a security patch that greatly improved the platform’s resistance to SQL injections, which can enable threat actors to gain control of a site.

The release of version 4.8.3 follows a previous update that failed to mitigate the same issue and caused additional problems for developers, reported Anthony Ferrara, a security researcher and vice president of engineering at Lingo Live. Ferrara noted that while the previous fix addressed certain behaviors that could be abused, it still contained vulnerabilities that enabled malicious plugin and theme developers to carry out SQL injection.

Mitigating the Threat of SQL Injection

Ferrara’s concern centered around the use of the prepare function used in queries. The placeholders in the query code could be tricked to represent characters that changed the intended program flow. The 4.8.2 fix basically put a filter in front of the query functions to eliminate all unapproved characters, which forced the specific behavior shown in the original vulnerability to cease.

Still, Ferrara felt the true problem was that WordPress had passed user input to the query side of the prepare function, even if it had passed through an escape function such as the 4.8.2 filter. Therefore, the “double prepare” function was fundamentally problematic, since it could lead to an unsafe value being placed into the final query.

A Conflict of Interest

According to SecurityWeek, Ferrara implored plugin developers and hosting providers to patch their products to protect against the flaw. This likely prompted WordPress, which had been reticent to release a patch too hastily due to concerns that it might break certain functions, to prioritize the vulnerability and issue a more thorough fix with version 4.8.3. The new update includes an additional check for double prepares.

This scenario illustrates the conflicting priorities of those who develop products and those who must support them. Developers may be reluctant to perform additional designs solely to compensate for security flaws, but vendors cannot subject their users to known vulnerabilities. That’s why it’s critical to strike the right balance between security and the user experience.

More from

CISA warns about credential access in FY23 risk & vulnerability assessment

3 min read - CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency’s ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors. Meanwhile, IBM’s X-Force Threat Intelligence Index 2024 has identified credential access as one of the most significant risks to organizations.Both reports shed light on the persistent and growing threat of credential…

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Trends: Hardware gets AI updates in 2024

4 min read - The surge in artificial intelligence (AI) usage over the past two and a half years has dramatically changed not only software but hardware as well. As AI usage continues to evolve, PC makers have found in AI an opportunity to improve end-user devices by offering AI-specific hardware and marketing them as "AI PCs."Pre-AI hardware, adapted for AIA few years ago, AI often depended on hardware that was not explicitly designed for AI. One example is graphics processors. Nvidia Graphics Processing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today