Skip to content

Android Tutorial Station

Bug in WordPress 3.5 that allows SQL Injection

After the update to WordPress 3.5 , the first security “failures” come to light. Specifically, the $wpdb->prepare() is the one that presents the problem.

And I put bugs in quotes because in reality this is a security improvement and only negatively affects plugins or badly written codes by developers, so this new error has a negative part (plugins that use this function incorrectly they can be attacked) and a positive part (forces developers to update their plugins so that it does not show the error and so they are written correctly and safely).

WordPress developers have implemented in this function $wpdb->prepare() the error report and with it facilitate the ability to execute an SQL injection in our WordPress and obtain data such as users, emails, encrypted passwords or can even get access to our server if the MySQL server is not properly secured.

The problem is that this function shows the following error:

“PHP Warning: Missing argument 2 for wpdb :: prepare ().”

Using this error you can perform blind SQL injections and compromise our blog.

How to solve the problem of SQL injection in WordPress 3.5?

If you see this error in your blog, do not hesitate to deactivate the plugin or code that generates it, in order to keep your blog safe from attacks while you do not solve the problem.

An example of poorly written code is:
$wpdb->query( $wpdb->prepare( "UPDATE $wpdb->comments SET comment_parent=$par_ID WHERE comment_ID=$com_ID;" ) );

The above code includes the variables $par_ID and $com_ID directly in the SQL query, which is very dangerous since a user could modify those variables according to his needs to perform an attack.

The code written correctly would be:
$wpdb->query( $wpdb->prepare( "UPDATE $wpdb->comments SET comment_parent=%d WHERE comment_ID=%d;", $par_ID, $com_ID ) );

As can be seen in the code, in our case both variables are integer values ??and are replaced by% d and the variables are placed at the end of the function separated by commas. This would be the correct way to use the $wpdb->prepare() . If our variables were text strings instead of using% d we would use% s.

I hope you have been helpful and remember, if you see the error ” PHP Warning: Missing argument 2 for wpdb :: prepare (). ”Immediately deactivate the plugins one by one, to see which one generates the error, if after deactivating all the plugins the error still appears the problem is in your theme and you must solve it as soon as possible.

No comments yet.

Leave a Reply

Your email address will not be published.

Comments (0)