CVE-2017-14723
published 2017-09-23CVE-2017-14723: Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility…
PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
10.36%
95.1th percentile
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | wordpress | < wordpress 4.8.3+dfsg-1 (bookworm) | wordpress 4.8.3+dfsg-1 (bookworm) |
| debian | wordpress | < wordpress 4.8.2+dfsg-1 (bookworm) | wordpress 4.8.2+dfsg-1 (bookworm) |
| wordpress | wordpress | <= 4.8.2 | — |
| wordpress | wordpress | <= 4.8.1 | — |
| wordpress | wordpress | >= 0 < 4.8.2+dfsg-1 | 4.8.2+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.8.3+dfsg-1 | 4.8.3+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.8.2+dfsg-1 | 4.8.2+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.8.3+dfsg-1 | 4.8.3+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.8.2+dfsg-1 | 4.8.2+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.8.3+dfsg-1 | 4.8.3+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.8.2+dfsg-1 | 4.8.2+dfsg-1 |
| wordpress | wordpress | >= 0 < 4.8.3+dfsg-1 | 4.8.3+dfsg-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →SQL injection vector exists in WordPress $wpdb->prepare() due to mishandling of % characters and additional placeholder values, enabling SQLi via plugins and themes in versions before 4.8.2 ↗
- ·Vulnerability is scoped locally (plugin/theme code must invoke $wpdb->prepare() with unsanitized % characters); exploitation depends on vulnerable plugin or theme being present ↗
- ·Fixed in WordPress 4.8.2; Debian packages resolved at 4.8.2+dfsg-1 across all tracked suites ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4f8m-x9c7-gvcq: Before version 4
ghsa_unreviewed·2022-05-17
CVE-2017-14723 [CRITICAL] CWE-89 GHSA-4f8m-x9c7-gvcq: Before version 4
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
GHSA
GHSA-4cxp-jjp3-3qpw: WordPress before 4
ghsa_unreviewed·2022-05-14·CVSS 9.8
CVE-2017-16510 [CRITICAL] CWE-89 GHSA-4cxp-jjp3-3qpw: WordPress before 4
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723.
OSV
CVE-2017-16510: WordPress before 4
osv·2017-11-02·CVSS 9.8
CVE-2017-16510 [CRITICAL] CVE-2017-16510: WordPress before 4
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723.
OSV
CVE-2017-14723: Before version 4
osv·2017-09-23·CVSS 9.8
CVE-2017-14723 [CRITICAL] CVE-2017-14723: Before version 4
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
VulnCheck
WordPress wordpress Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2017·CVSS 9.8
CVE-2017-14723 [CRITICAL] WordPress wordpress Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
WordPress wordpress Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
Affected: WordPress wordpress
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.ic3.gov/Media/News/2022/220126.pdf
Debian
CVE-2017-16510: wordpress - WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create...
vendor_debian·2017·CVSS 9.8
CVE-2017-16510 [CRITICAL] CVE-2017-16510: wordpress - WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create...
WordPress before 4.8.3 is affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi) in plugins and themes, as demonstrated by a "double prepare" approach, a different vulnerability than CVE-2017-14723.
Scope: local
bookworm: resolved (fixed in 4.8.3+dfsg-1)
bullseye: resolved (fixed in 4.8.3+dfsg-1)
forky: resolved (fixed in 4.8.3+dfsg-1)
sid: resolved (fixed in 4.8.3+dfsg-1)
trixie: resolved (fixed in 4.8.3+dfsg-1)
Debian
CVE-2017-14723: wordpress - Before version 4.8.2, WordPress mishandled % characters and additional placehold...
vendor_debian·2017·CVSS 9.8
CVE-2017-14723 [CRITICAL] CVE-2017-14723: wordpress - Before version 4.8.2, WordPress mishandled % characters and additional placehold...
Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.
Scope: local
bookworm: resolved (fixed in 4.8.2+dfsg-1)
bullseye: resolved (fixed in 4.8.2+dfsg-1)
forky: resolved (fixed in 4.8.2+dfsg-1)
sid: resolved (fixed in 4.8.2+dfsg-1)
trixie: resolved (fixed in 4.8.2+dfsg-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/100912http://www.securitytracker.com/id/1039553https://core.trac.wordpress.org/changeset/41470https://core.trac.wordpress.org/changeset/41496https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18echttps://medium.com/websec/wordpress-sqli-bbb2afcc8e94https://medium.com/websec/wordpress-sqli-poc-f1827c20bf8ehttps://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/https://www.debian.org/security/2017/dsa-3997http://www.securityfocus.com/bid/100912http://www.securitytracker.com/id/1039553https://core.trac.wordpress.org/changeset/41470https://core.trac.wordpress.org/changeset/41496https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18echttps://medium.com/websec/wordpress-sqli-bbb2afcc8e94https://medium.com/websec/wordpress-sqli-poc-f1827c20bf8ehttps://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/https://www.debian.org/security/2017/dsa-3997
2017-09-23
Published
Exploited in the wild