A new WordPress SQLi vulnerability has been discovered by security researchers in a WordPress core, it’s strongly recommended to update to version 4.8.3, the latest at the time of writing, if you haven’t done so already.
AppCheck-NG had a plugin available in our scanner within hours of the vulnerability being disclosed (31/10/2017), the vulnerability exploits a flaw in the “$wpdb->prepare()” code in meta.php where by an attacker could take advantage of an SQL query being doubly prepared and manipulate the input.
$my_where = $wpdb->prepare(" WHERE foo = %s", "%s ");
$taint = [" OR 1=1 # ", 2, 3];
$my_query = $wpdb->prepare("SELECT * FROM something $my_where LIMIT %d, %d", $taint);
SELECT * FROM something WHERE foo = '' OR 1=1 # ' ' LIMIT 2, 3
In the above example the “%s” in the first prepare is replaced by another %s from an input which makes it through to the 2nd prepare statement that could handle user input and allow an attacker to perform SQL injection.