WordPress recently announced the release of WordPress 4.8.3 with an important security fix. It is recommended that anyone using WordPress update now.
WordPress 4.8.3 Security Report
Anthony Ferrara, VP of Engineering at Lingo Live reported on Oct 31st that a critical SQL-Injection vulnerability was fixed with the new release, WordPress 4.8.3.
He first openly tweeted about the issue on the 26th of October and was contacted by the WordPress team. And the collaboration between the two parties led to a fix for the issue.
He recommends that in addition to updating WordPress, you update all plugins and themes especially those that over-ride the $wpdb object of WordPress’ API. And in the article linked above, he gives pointers for plugin/theme authors and web hosts.
The collaboration between Ferrara and the WordPress team is reported in more detail by WPTavern’s article.
Issue with $wpdb->prepare():
WordPress.org news reports that an issue with $wpdb->prepare() could cause unsafe queries in 4.8.2 which could lead to a SQL-injection. Even though many themes/plugins take steps to prevent this, many might not and this fix with WordPress could solve the issue even in those cases for $wpdb->prepare() using plugins.
Changes to esc_sql():
WordPress also announced that this release also includes changes to the esc_sql() function, here’s the full developer note. Plugins which deeply manipulate the WordPress database like cloning, copying, migration plugins are more likely to use this function.
Possible Issues with WordPress 4.8.3:
I. Duplicator Plugin version 1.2.26: It has been reported that the Duplicator plugin has issues with WordPress 4.8.3 because of the changes to esc_sql() function.
ii. Some versions of MAMP on Mac OSX could have a problem as well.
Make sure to check the ‘tested upto’ status of the plugins/themes from WordPress.org.
Don’t forget to update or download now. Please comment your experience with the update.