SQL injection in WordPress

Published: 2017-10-31 16:07:07
Severity Medium
Patch available YES
Number of vulnerabilities 1
CVSSv2 5 (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
CVSSv3 6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE ID N/A
CWE ID CWE-89
Exploitation vector Network
Public exploit Not available
Vulnerable software WordPress
Vulnerable software versions WordPress 4.8.2
WordPress 4.8.1
WordPress 4.8
Show more
Vendor URL WordPress.ORG
Advisory type Public

Security Advisory

1) SQL injection

Description

The vulnerability allows a remote attacker to execute arbitrary SQL commands in application's database.

The vulnerability exists due to an error in $wpdb->prepare() that can lead to SQL injection attacks exploited via third-party software. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary SQL commands in web application database.

Remediation

Update to version 4.8.3.

External links

https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/

Back to List