CVE-2017-16510
CRITICALWordPress < 4.8.3 - SQL Injection via Double Prepare Approach
Title source: llmDescription
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723.
References (8)
Core 8
Core References
Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://github.com/WordPress/WordPress/commit/a2693fd8602e3263b5925b9d799ddd577202167d
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4090
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2017/11/msg00003.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/101638
Issue Tracking, Vendor Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/8941
Issue Tracking, Vendor Advisory x_refsource_misc
https://codex.wordpress.org/Version_4.8.3
Issue Tracking, Third Party Advisory x_refsource_misc
https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html
Issue Tracking, Vendor Advisory x_refsource_misc
https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
Scores
CVSS v3
9.8
EPSS
0.0417
EPSS Percentile
88.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Products (1)
wordpress/wordpress
< 4.8.2
Published
Nov 02, 2017
Tracked Since
Feb 18, 2026