WordPress 4.8.2 SQLi vulnerability
On 31th Oct, WordPress 4.8.3 has been released. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.
The following $wpdb wording is affected by this vulnerability:
This is known as “double-preparing” and is not a good design.
Also, don’t do this:
The query and parameters should be built separately and then executed by the prepare method.
First, it uses vsprintf (which is basically identical to sprintf) to replace placeholders with values.
Second, it uses str_replace to quote placeholders properly (even unquoting first to prevent double quotes).
Third, if passed a single argument and that argument is an array, then it will replace the arguments with the value of that array. Meaning that calling $wpdb->prepare($sql, [1, 2]) is identical to calling $wpdb->prepare($sql, 1, 2). This will be important later.
Look at code
Now, the query will be changed to SELECT * FROM foo WHERE bar IN (‘test’) AND baz = ‘test’; but this changes the meaning of the query, in order to more clearly explain the sql injection, you can construct such a request data
It turns out that the flaw also exists in WordPress core file /wp-includes/meta.php.