WordPress SQL injection vulnerability, patch ASAP to 4.8.3

A security researcher has disclosed a SQL injection vulnerability in WordPress 4.8.2, so any WordPress installs should be updated to 4.8.3 asap. This is particularly important for groups which run their own version(s) of WordPress, which is an extremely common target for attackers. If you support web servers where clients perform their own WP installs, please make sure that they receive this notification.

SQL injection attacks consist of creating an SQL query embedded the input data from a client to the application. That is, the code is “injected” into the input. If successful, the exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

wp.nyu.edu is externally hosted and is planned to be updated as soon as testing is complete.

 

Resources

https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html

https://www.welivesecurity.com/2017/11/01/wordpress-update-now/

https://www.owasp.org/index.php/SQL_Injection