Opened 22 months ago
Last modified 22 months ago
#60505 new defect (bug)
Column names in wpdb->insert aren't sanitized.
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | 6.4.3 |
| Component: | Database | Keywords: | |
| Focuses: | Cc: |
Description
Column names in wpdb->insert aren't sanitized, although the documentation says: "Data to insert (in column => value pairs). Both $data columns and $data values should be “raw” (neither should be SQL escaped)."
Steps To Reproduce:
<?php global $wpdb; $wpdb->insert("wp_posts", array("id`) VALUES (sleep(1)); -- " => 0));
This will sleep one second.
The WordPress security team has reviewed this and asked to open a public ticket.
Attachments (1)
Change History (3)
Note: See
TracTickets for help on using
tickets.
60505.diff is a proof of concept to use the identifier placeholders introduced in WordPress 6.2.
wpdb::update()is also affected and would need similar code.