Boo! On Oct. 31, the open-source WordPress content management (CMS) and blogging platform released its 4.8.3 update, patching a frightening SQL Injection security vulnerability that was left open for weeks.
“WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi),” WordPress developer Gary Pendergast wrote in the release announcement. “WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.”
WordPress is among the most widely deployed technologies on the internet today, powering 25 percent or more of all websites according to some estimates. The pervasiveness of WordPress makes any security issues particularly impactful, given the volume of deployed sites.
The SQLi issue was reported to WordPress by security researcher Anthony Ferrara, who wasn’t particularly enthusiastic about how the issue was initially handled (or not) by the open-source project. Ferrara first reported the issues to WordPress on Sept. 20, a week after the release of the WordPress 4.8.2 update which also included a fix for a SQLi issue.
The problem with the WordPress 4.8.2 update according to Ferrara, was that the fix actually introduced a new security issues for WordPress plugins.
“They are ignoring the new potential SQLi, and refuse to engage on the proper way to fix the original issue,” Ferrara wrote in a Twitter rant on Sept 25. ” Vulnerability report was closed, as a result, WPDB remains insecure-by-design, and this change makes that worse, not better.”
WordPress developers did get back to Ferrara, though it took weeks of back and forth communications for the issue to get worked through the system. During that time period, the vulnerability remained open, though not publicly disclosed.
“Security reports should be treated promptly, but that doesn’t mean every second counts (usually),” Ferrara wrote in a blog post. “I get that there are competing priorities. But show attention. Show that you’ve read what’s written. And if someone tells you it seems like you don’t understand something, stop and get clarification.”
Security weakness in WordPress plugins is a known attack vector that exposes users to risk. The SiteLock Website Security Insider Q2 2017 report found that the more plugins a WordPress site has, the greater chance that site has of being breached.
WordPress has had an automated patching system in place for the core CMS since WordPress 3.7 release debuted in October 2013. As such, security updates to the core platform are automatically installed by default, which helps to reduce the attack surface once a patch is available.
Ferrara’s concern is that WordPress doesn’t have enough dedicated, full-time security personnel working on or with the project and instead is largely a team made up of volunteers.
“The miss IMHO isn’t that a team of volunteers isn’t living up to my expectations, but that a platform that powers 25%+ of the Internet (or at least CMS-powered-Internet) isn’t staffed with full time security personnel,” Ferrara wrote. “Volunteers are amazing and can only do so much.”
“At some point it comes down to the companies making money off of it and not staffing it that are ultimately the biggest problems,” he added.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.