Web Designers With WordPress: Upgrade To 4.8.3. Now!
WordPress has released a new security patch addressing a programming issue which needs to be applied as soon as possible.
The patch addresses a flaw in the programming which could be exploited by malicious hackers to take over WordPress based sites using SQL injections.
The central core of WordPress is not directly affected, but the flow is in a function it provides to themes and plugins, leaving those at risk which can, in turn, affect the whole site.
They had to delay the release of the patch a little, as it turned out to be tricky to fix it without breaking a vast number of add-ons.
The official advisory warned that: “WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi),
“WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.”
The flaw was first spotted by Anthony Ferrara, VP of engineering at Lingo Live. The previous iteration (4.8.2) was released to bolster the $wpdb->prepare() code, said Ferrara, but the update was shoddy. In addition to that, the update broke “a metric tone of third-party code and sites – an estimated 1.2million lines of code affected,” he said.
Ferrara warned the team at WordPress that the 4.8.2 release wasn’t up to scratch, but apparently, they refused to take him seriously at first. He said it wasn’t until he provided some exploit code, which he wrote to prove the theory, and then threatened to go public with it, that they capitulated and prepared a better fix – the latest version 4.8.3.
“One of our struggles here, as it often is in security, is how to secure things while also breaking as little as possible,” Ferrara quoted the WordPress team as saying.
Ferrara acknowledges that many of the people working on the WordPress platform are in fact volunteers, he said he was frustrated by the company’s attitude when it came to security. He is nonetheless hopeful though that they will get better to responding to warnings of such exploitations as and when they appear in the codebase.
“It took literally five weeks to even get someone to consider the actual vulnerability,” Ferrara said.
“From there, it took me publicly threatening full disclosure to get the team to acknowledge the full scope of the issue, though they did start to engage deeper prior to the full disclosure threat. I was disappointed for a good part of the past six weeks. I’m now cautiously hopeful.”
Now, stop reading this article and go upgrade your systems!