Make WordPress Core

Opened 8 months ago

Last modified 8 months ago

#60505 new defect (bug)

Column names in wpdb->insert aren't sanitized.

Reported by: kazet's profile kazet Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.4.3
Component: Database Keywords:
Focuses: Cc:

Description

Column names in wpdb->insert aren't sanitized, although the documentation says: "Data to insert (in column => value pairs). Both $data columns and $data values should be “raw” (neither should be SQL escaped)."

Steps To Reproduce:

<?php
global $wpdb;
$wpdb->insert("wp_posts", array("id`) VALUES (sleep(1)); -- " => 0));

This will sleep one second.

The WordPress security team has reviewed this and asked to open a public ticket.

Attachments (1)

60505.diff (1.3 KB) - added by peterwilsoncc 8 months ago.

Download all attachments as: .zip

Change History (3)

#1 @swissspidy
8 months ago

  • Component changed from General to Database

#2 @peterwilsoncc
8 months ago

60505.diff is a proof of concept to use the identifier placeholders introduced in WordPress 6.2.

wpdb::update() is also affected and would need similar code.

@peterwilsoncc
8 months ago

Note: See TracTickets for help on using tickets.