WordPress announced the security release of version 4.8.3 this week to patch a vulnerability to website takeover through an SQL injection attack.
The Halloween fright, CVE-2017-14723, was discovered and reported to the bug bounty program in September by researcher Anthony Ferrara.
While WordPress core is not affected, according to the new release announcement, the new version hardens it to protect it from attacks via plugins and themes. In version 4.8.2 and earlier, “$wpdb->prepare() can create unexpected and unsafe queries,” allowing potential SQL injection. The new release changes the behavior of the esc_sql() function, which WordPress says will not affect most developers.
The vulnerability traces back to version 4.8.1, but Ferrara says the fix WordPress released with version 4.8.2 dealt with only “a narrow subset of the potential exploits.” 4.8.2 not only failed to actually solve the problem, according to Ferrara, but also rendered many sites and over a million lines of third-party code ineffective. He reported the bug the day after the release of 4.8.2, but WordPress closed his report, on grounds that “non documented functionality is non documented.”
Several messages back and forth followed, before Ferrara threatened on Oct. 16 to publicly report the vulnerability on the 19th. WordPress convinced Ferrara to hold off, and then threatened again on October 20 to take the issue public again on the 25th. Ferrara writes in his report of the disclosure process that the WP security team told him, “[o]ne of our struggles here, as it often is in security, is how to secure things while also breaking as little as possible.”
On the 27th, it seems another member of the WordPress team became involved, and Ferrara finally received the responses he was looking for. He acknowledged in his account of the incident the challenges facing the volunteer team dealing with the issue.
“The miss IMHO isn’t that a team of volunteers isn’t living up to my expectations, but that a platform that powers 25%+ of the Internet (or at least CMS-powered-Internet) isn’t staffed with full time security personnel,” he wrote. “Volunteers are amazing and can only do so much. At some point it comes down to the companies making money off of it and not staffing it that are ultimately the biggest problems…”
WordPress, for its part, thanked Ferrara for practicing responsible disclosure.