WordPress 4.2.3 and earlier SQL Injection Vulnerability

2015.08.08

Credit: ocean90

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2015-2213

CWE: N/A

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

A potential SQL injection that could be used to compromise a site
FIX:
trunk/src/wp-includes/post.php
foreach ( $group_by_status as $status => $comments ) {
// Sanity check. This shouldn't happen.
- if ( 'post-trashed' == $status )
+ if ( 'post-trashed' == $status ) {
$status = '0';
- $comments_in = implode( "', '", $comments );
- $wpdb->query( "UPDATE $wpdb->comments SET comment_approved = '$status' WHERE comment_ID IN ('" . $comments_in . "')" );
+ }
+ $comments_in = implode( ', ', array_map( 'intval', $comments ) );
+ $wpdb->query( $wpdb->prepare( "UPDATE $wpdb->comments SET comment_approved = %s WHERE comment_ID IN ($comments_in)", $status ) );
}

References:

https://core.trac.wordpress.org/changeset/33555

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress 4.2.3 and earlier SQL Injection Vulnerability

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.