CIS Logo
tagline: Confidence in the Connected World
HomeResourcesAdvisoriesA Vulnerability in WordPress Content Management System (CMS) Could Allow for SQL Injection

A Vulnerability in WordPress Content Management System (CMS) Could Allow for SQL Injection

MS-ISAC ADVISORY NUMBER:

2017-107

DATE(S) ISSUED:

11/02/2017

OVERVIEW:

A vulnerability has been discovered in WordPress content management system (CMS), which could allow for SQL Injection. WordPress is an open source content management system for websites. Successful exploitation of this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Core is not affected by this vulnerability, however a patch was issued to prevent the vulnerability from affecting WordPress plugins and themes.

THREAT INTELLIGENCE:

While a proof of concept is available, there are no reports of this issue currently being exploited in the wild.

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

An update has been released for WordPress content management system (CMS) to harden WordPress against SQL Injection. The issue exists because WordPress fails to sufficiently sanitize user-supplied input before using it in a SQL query. Specifically, this issue affects the ''wpdb::prepare()' method.

Successful exploitation of this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. WordPress Core is not affected by this vulnerability, however a patch was issued to prevent the vulnerability from affecting WordPress plugins and themes.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Ensure no unauthorized systems changes have occurred before applying patches.
  • Update WordPress CMS to the latest version after appropriate testing.
  • Update any plugins that override $wpdb
  • Review and follow WordPress hardening guidelines - http://codex.wordpress.org/Hardening_WordPress.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Control That Helps Avoid This Issue Arrow CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers