Make WordPress Core

Opened 3 months ago

#60009 new defect (bug)

Potential SQL Injection in WordPress Core

Reported by: williamdee's profile williamdee Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version: trunk
Component: Security Keywords: needs-review
Focuses: Cc:

Description

Action/s Required to Trigger (potentially):

When going to any WordPress URL (potentially).

File/s Involved (there are others):

wp-include/class-wp-query.php

Core Issue:

The SQL query to retrieve a page via post name uses generated SQL instead of static SQL with bound variables (lines 2031-2032):

$qname? = sanitize_title_for_query( $qname? );
$where .= " AND {$wpdb->posts}.post_name = '" . $qname? . "'";

Note:

While the "sanitize_title_for_query()" function should sanitize this, if some hacker can slip something through that function then it is directly injected. For proper security the SQL should not be generated dynamically and should use bound variables.

Other Files Affected:

Using the following GREP brings up other lines to look at:

grep -R " = ' \." *

wp-includes/bookmark.php: $inclusions = ' AND ( link_id = ' . $inclink . ' ';
wp-includes/bookmark.php: $inclusions .= ' OR link_id = ' . $inclink . ' ';
wp-includes/bookmark.php: $category_query = ' AND ( tt.term_id = ' . $incat . ' ';
wp-includes/bookmark.php: $category_query .= ' OR tt.term_id = ' . $incat . ' ';

Again, these should not be using dynamically generated SQL and should be using bound variables.

Change History (0)

Note: See TracTickets for help on using tickets.