WordPress core version 4.8.2 is released on 19 Sept 2017 for the public. In brief, this is a security and maintenance release and the updates are minor. If you have enabled the auto updates feature then your WordPress website/s will be upgraded automatically.
WordPress 4.8.2 features nine security fixes which the website owners will want to apply. In total, there have been six updates this year featuring security fixes.
The maintenance side of the update features six other software updates but generally focuses on the bit that bothers Naked Security readers most, security where we see five cross-site scripting (XSS) flaws (a popular attack vector that refused to disappear), two path or directory traversal issues and one covering an open redirect.
There is also the precautionary hardening of the $wpdb->prepare() method.
A leading WordPress developer firm, Designs2HTML Ltd. found that the main problem is not the vulnerability in the core WordPress software but in what the core allow code in the vast ecosystem of WordPress plugins and themes to do:
WordPress says,“WordPress core is not directly vulnerable to this issue but we have added hardening to prevent plugins and themes from accidentally causing a vulnerability.”
WordPress has a formidable security operation but the huge number of 3rd party plugins and themes are both the software’s best feature and also it weakness as they can add the vulnerability.
Recently the Display Widgets plugin used by more than 2,00,000 websites was pulled after it and its three updates were discovered to contain a backdoor which enables the spam.
The hardening of $wpdb->prepare() is also very important as the best defense against SQL injection attacks is to make sure that SQL queries are correctly escaped. If we add escape characters in a SQL query then it will stop the database engine from treating user-supplied data as code, which prohibits hackers from corrupting queries to their own ends.
WordPress says, “The best way to do your escaping is by using prepare”. “All data in SQL queries must be SQL-escaped before the SQL query is executed to prevent against SQL injection attacks. The prepare method can perform this functionality for WordPress”.
Hence the developers will be using prepare because it protects against SQL injection. The updated versions of WordPress must be safe from buggy third party code but the old ones may not be. Hence the plugins and theme developers should test their code against older versions of the core.
These security fixes generally affect all the WordPress versions before and including version 4.8.1.
This is actually a relatively low-key update in the eventful period for WordPress patching. The main issue is who patches and how quickly.
Attackers were still able to exploit the issue to deface large numbers of unpatched websites even though WordPress has recommended for automatic security updates.
Hence WordPress updates release notes start with the simple advice “We strongly encourage you to update your sites immediately.”