Opened 8 months ago
Last modified 8 months ago
#60505 new defect (bug)
Column names in wpdb->insert aren't sanitized.
Reported by: | kazet | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 6.4.3 |
Component: | Database | Keywords: | |
Focuses: | Cc: |
Description
Column names in wpdb->insert aren't sanitized, although the documentation says: "Data to insert (in column => value pairs). Both $data columns and $data values should be “raw” (neither should be SQL escaped)."
Steps To Reproduce:
<?php global $wpdb; $wpdb->insert("wp_posts", array("id`) VALUES (sleep(1)); -- " => 0));
This will sleep one second.
The WordPress security team has reviewed this and asked to open a public ticket.
Attachments (1)
Change History (3)
Note: See
TracTickets for help on using
tickets.
60505.diff is a proof of concept to use the identifier placeholders introduced in WordPress 6.2.
wpdb::update()
is also affected and would need similar code.