WordPress has issued an emergency patch to solve an issue which allowed hackers to completely take over a website, the media are reporting this Thursday. The patch in question is labelled 4.8.3 and the CMS creators are “strongly encouraging” webmasters to update their websites as soon as possible.
Version 4.8.2, which was released a few months ago, had a vulnerability which allowed attackers to trigger an SQL injection attack and take over a site. According to ZDNet, this version “mishandles certain characters, which can lead to $wpdb->prepare() creating "unexpected and unsafe queries" which can lead to potential SQL injection attacks.”
"WordPress core is not directly vulnerable to this issue, but we've added hardening to prevent plugins and themes from accidentally causing a vulnerability," WordPress says.
The vulnerability was discovered by security researcher Anthony Ferrara, which he reported through the HackerOne bug bounty platform in late September.
The trouble started, however, when WordPress decided to ignore the bug for several weeks. At least that’s what Ferrara claims. It was only when he warned the team that he would go public with the discovery that they fixed the issue.
"The correct fix is to ditch this whole prepare mechanism (which returns a string SQL query). Do what basically everyone else does and return a statement/query object or execute the query directly. That way you can't double-prepare a string. It's worth saying that this would be a major breaking change for WP,” Ferrara said.
“It doesn't need to be (and in practice shouldn't) overnight - they can do it in parallel with the existing API, deprecating the old one and removing in time - but it does need to happen. The current system is insecure-by-design. That doesn't mean it's always hackable, but it means you have to actively work to make it not attackable."
Image Credit: David M G / Shutterstock