Description

Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.

Remediation

References

CVE-2017-14723

Related Vulnerabilities

Chamilo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2013-6787)

Oracle Application Server Credentials Management Errors Vulnerability (CVE-2004-1366)

Serendipity Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2012-2331)

WordPress Plugin Plotly Cross-Site Scripting (1.0.2)

WordPress Plugin WP Mail SMTP by WPForms Unspecified Vulnerability (0.9.5)

Severity

Critical

Classification

CVE-2017-14723 CWE-138 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities