Description

WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723.

Remediation

References

CVE-2017-16510

Related Vulnerabilities

WordPress Plugin Leaflet Maps Marker Pro Multiple Vulnerabilities (1.5.7)

MySQL CVE-2020-14567 Vulnerability (CVE-2020-14567)

WordPress Plugin Access Demo Importer Arbitrary File Upload (1.0.6)

MySQL CVE-2019-2815 Vulnerability (CVE-2019-2815)

WordPress Plugin 404 to 301-Redirect, Log and Notify 404 Errors Security Bypass (3.0.1)

Severity

Critical

Classification

CVE-2017-16510 CWE-138 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities