[wp-trac] [WordPress Trac] #44861: equals sign in WordPress Gutenberg post triggers SQL injection attack on Server
WordPress Trac
noreply at wordpress.org
Wed Aug 29 08:49:00 UTC 2018
#44861: equals sign in WordPress Gutenberg post triggers SQL injection attack on
Server
---------------------------+-----------------------------
Reporter: jamesfroggatt | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Editor | Version: 4.9.8
Severity: critical | Keywords:
Focuses: |
---------------------------+-----------------------------
I am using WordPress 4.9.8 and use Gutenberg.
There appears to be a serious problem when using the = symbol in posts.
This triggers a firewall on my host that then blocks ALL requests to the
server from my IP.
I have a feeling that in the wordpress code, the = symbol is not 'escaped'
so Failed Update occurs and indeed the server itself then permanently
blocks my IP as posting this symbol seems to appear like an SQL injection
attack.
The simple solution is to not include the = sign in posts and just write
'equals' but obviously not ideal.
Thank you
James
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44861>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list