November 2, 2017 By Larry Loeb 2 min read

With its latest release, WordPress included a security patch that greatly improved the platform’s resistance to SQL injections, which can enable threat actors to gain control of a site.

The release of version 4.8.3 follows a previous update that failed to mitigate the same issue and caused additional problems for developers, reported Anthony Ferrara, a security researcher and vice president of engineering at Lingo Live. Ferrara noted that while the previous fix addressed certain behaviors that could be abused, it still contained vulnerabilities that enabled malicious plugin and theme developers to carry out SQL injection.

Mitigating the Threat of SQL Injection

Ferrara’s concern centered around the use of the prepare function used in queries. The placeholders in the query code could be tricked to represent characters that changed the intended program flow. The 4.8.2 fix basically put a filter in front of the query functions to eliminate all unapproved characters, which forced the specific behavior shown in the original vulnerability to cease.

Still, Ferrara felt the true problem was that WordPress had passed user input to the query side of the prepare function, even if it had passed through an escape function such as the 4.8.2 filter. Therefore, the “double prepare” function was fundamentally problematic, since it could lead to an unsafe value being placed into the final query.

A Conflict of Interest

According to SecurityWeek, Ferrara implored plugin developers and hosting providers to patch their products to protect against the flaw. This likely prompted WordPress, which had been reticent to release a patch too hastily due to concerns that it might break certain functions, to prioritize the vulnerability and issue a more thorough fix with version 4.8.3. The new update includes an additional check for double prepares.

This scenario illustrates the conflicting priorities of those who develop products and those who must support them. Developers may be reluctant to perform additional designs solely to compensate for security flaws, but vendors cannot subject their users to known vulnerabilities. That’s why it’s critical to strike the right balance between security and the user experience.

More from

How prepared are you for your first Gen AI disruption?

5 min read - Generative artificial intelligence (Gen AI) and its use by businesses to enhance operations and profits are the focus of innovation in virtually every sector and industry. Gartner predicts that global spending on AI software will surge from $124 billion in 2022 to $297 billion by 2027. Businesses are upskilling their teams and hiring costly experts to implement new use cases, new ways to leverage data and new ways to use open-source tooling and resources. What they have failed to look…

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication.Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future success…

Brands are changing cybersecurity strategies due to AI threats

3 min read -  Over the past 18 months, AI has changed how we do many things in our work and professional lives — from helping us write emails to affecting how we approach cybersecurity. A recent Voice of SecOps 2024 study found that AI was a huge reason for many shifts in cybersecurity over the past 12 months. Interestingly, AI was both the cause of new issues as well as quickly becoming a common solution for those very same challenges.The study was conducted…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today