CVE-2017-14723

CRITICAL EXPLOITED

WordPress <4.8.2 - SQL Injection

Title source: llm

Description

Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.

References (10)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/100912

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1039553

[Patch, Vendor Advisory] https://core.trac.wordpress.org/changeset/41470

[Patch, Vendor Advisory] https://core.trac.wordpress.org/changeset/41496

[Issue Tracking, Patch, Third Party Advisory] https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48

[Issue Tracking, Patch, Third Party Advisory] https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec

View Patch ZIP pw:eip

[Exploit, Mitigation, Third Party Advisory] https://medium.com/websec/wordpress-sqli-bbb2afcc8e94

[Exploit, Third Party Advisory] https://medium.com/websec/wordpress-sqli-poc-f1827c20bf8e

[Patch, Release Notes, Vendor Advisory] https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/

[Third Party Advisory] https://www.debian.org/security/2017/dsa-3997

Scores

CVSS v3 9.8

EPSS 0.1043

EPSS Percentile 93.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

VulnCheck KEV 2022-01-26

Classification

CWE

CWE-89

Status draft

Affected Products (1)

wordpress/wordpress < 4.8.1

Timeline

Published Sep 23, 2017

Tracked Since Feb 18, 2026