Running WordPress? You Need to Upgrade to Version 4.8.3 ASAP


Millions of websites running on WordPress are vulnerable to security threats as the company has pushed a latest version to fix a critical SQL-Injection vulnerability. The popular content management system had released version 4.8.2 last month to fix this flaw, however, unfortunately it just broke a number of sites without patching the vulnerability.

The newly released WordPress version 4.8.3 thankfully does fix the security issue according to Anthony Ferrara who first reported this problem to WordPress (and was ignored for weeks) a day after the last version was rolled out. The bug can be potentially exploited by attackers to hijack WordPress powered websites by injecting malicious SQL commands.

Hackers Exploit WordPress Zero-Days in the Wild to Take Over Vulnerable Sites

It took WordPress five weeks to even consider this a security issue

When the last version did not fix the security issue, Ferrara immediately warned the WordPress team but wasn't taken seriously. Only after he threatened the company to go public with a proof of concept exploit code, WordPress started to pay attention and worked to deliver a fix.

"It took literally five weeks to even get someone to consider the actual vulnerability," Ferrara wrote. "From there, it took me publicly threatening Full Disclosure to get the team to acknowledge the full scope of the issue (though they did start to engage deeper prior to the FD threat)."

In its security bulletin, WordPress has said that site operators are "strongly" encouraged to update their sites "immediately" to fix the security issue.

WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Anthony Ferrara.

This release includes a change in behaviour for the esc_sql() function. Most developers will not be affected by this change, you can read more details in the developer note.

You can go to Dashboard > Updates  > Update Now to upgrade WordPress to the latest version 4.8.3. The company did add that sites that support automatic background updates have already started to begin updating to the latest version.

Technical details are available here