Nine disclosures this week, with one issue unfixed, one possibly unfixed (see the notes section in the spreadsheet).
View this week’s vulnerable plugins list.
The largest disclosure this week was definitely the SQL Injection vulnerability patched in v4.8.3 of core. The patch even got its own haiku (courtesy of pagely.com):
We patch the tricks, 4 8 3
You get the treats. Boo!
The vulnerability was initially discovered by Anothony Ferrara who worked with the WordPress security team to get the patch in place. Anthony has a great write-up covering how he discovered it. I’ll echo his statement in that I would like to see WordPress move to real prepared statements, something I’m surprised hasn’t been done already.
Other Security News
If penetration testing, bug hunting, etc. is of interest to you, I’d suggest checking out Alex Biran‘s post on how he hacked Google’s bug tracking system, and was rewarded handsomely. It’s a great read on the steps he took to find the vulnerability, and his thought process on the actions he took to discover the issues.