With its latest release, WordPress included a security patch that greatly improved the platform’s resistance to SQL injections, which can enable threat actors to gain control of a site.
The release of version 4.8.3 follows a previous update that failed to mitigate the same issue and caused additional problems for developers, reported Anthony Ferrara, a security researcher and vice president of engineering at Lingo Live. Ferrara noted that while the previous fix addressed certain behaviors that could be abused, it still contained vulnerabilities that enabled malicious plugin and theme developers to carry out SQL injection.
Mitigating the Threat of SQL Injection
Ferrara’s concern centered around the use of the prepare function used in queries. The placeholders in the query code could be tricked to represent characters that changed the intended program flow. The 4.8.2 fix basically put a filter in front of the query functions to eliminate all unapproved characters, which forced the specific behavior shown in the original vulnerability to cease.
Still, Ferrara felt the true problem was that WordPress had passed user input to the query side of the prepare function, even if it had passed through an escape function such as the 4.8.2 filter. Therefore, the “double prepare” function was fundamentally problematic, since it could lead to an unsafe value being placed into the final query.
A Conflict of Interest
According to SecurityWeek, Ferrara implored plugin developers and hosting providers to patch their products to protect against the flaw. This likely prompted WordPress, which had been reticent to release a patch too hastily due to concerns that it might break certain functions, to prioritize the vulnerability and issue a more thorough fix with version 4.8.3. The new update includes an additional check for double prepares.
This scenario illustrates the conflicting priorities of those who develop products and those who must support them. Developers may be reluctant to perform additional designs solely to compensate for security flaws, but vendors cannot subject their users to known vulnerabilities. That’s why it’s critical to strike the right balance between security and the user experience.