Source: wordpress Version: 4.8.2+dfsg-2 Severity: grave Tags: upstream security Justification: user security hole
WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. I have attempted to get a CVE id for it but the Mitre website is throwing errors again on the submit button. References: https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/ https://wpvulndb.com/vulnerabilities/8941 https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.12.0-2-amd64 (SMP w/6 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
