Title: New SQL Injection vulnerability? Last modified: August 18, 2016 --- # New SQL Injection vulnerability? * [whit](https://wordpress.org/support/users/whit/) * (@whit) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/) * Gentoo is reporting that all WordPress versions < 2 are vulnerable if comments are enabled. Yet I’m not finding a warning prominent on WordPress.org or instructions on how to patch 1.5.x versions to fix this. What’s up with it? * (See [http://www.gentoo.org/security/en/glsa/glsa-200603-01.xml](http://www.gentoo.org/security/en/glsa/glsa-200603-01.xml)) Viewing 15 replies - 1 through 15 (of 41 total) 1 [2](https://wordpress.org/support/topic/new-sql-injection-vulnerability/page/2/?output_format=md) [3](https://wordpress.org/support/topic/new-sql-injection-vulnerability/page/3/?output_format=md) [→](https://wordpress.org/support/topic/new-sql-injection-vulnerability/page/2/?output_format=md) * [TechGnome](https://wordpress.org/support/users/techgnome/) * (@techgnome) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/#post-350466) * Well, I guess that solves a problem for me…. * A shame really. * -tg * [Mark (podz)](https://wordpress.org/support/users/podz/) * (@podz) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/#post-350467) * Crap. Please can this be patched against ? * Edit: If you are using 1.5.2, backup your database. Frequently. * [TechGnome](https://wordpress.org/support/users/techgnome/) * (@techgnome) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/#post-350473) * Comment #10 on the bug page: [http://bugs.gentoo.org/show_bug.cgi?id=121661](http://bugs.gentoo.org/show_bug.cgi?id=121661) reads as follows: * > ah. Sorry should have notified you about my progress. I got in contact with > Ryan Boren through [security@wordpress.org](https://wordpress.org/support/topic/new-sql-injection-vulnerability/security@wordpress.org?output_format=md) > and discussed the bug with him. His comments were: > “1.5.2 has several security bugs that are fixed by 2.0.x, including this one. > 1.5.2 is pretty much unmaintained now. We could patch this bug, but there would > still be several bugs remaining unless we backport everything from 2.0.1. > > We hadn’t planned on backporting anything to 1.5.2.” > So it’s OK to release with me. * So that sounds like a “uh, no.” to me….. * Like I said, it just made a decision easier for me. * -tg * [vkaryl](https://wordpress.org/support/users/vkaryl/) * (@vkaryl) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/#post-350475) * And wasn’t it of course only a matter of time anyway…. * Poop. Good thing I’ve been getting familiar with 2.0.1 – *sigh* * Even though I’m the queen of redundant backups, I’m not gonna mess with trying to stay with 1.5.2 I guess. * [whooami](https://wordpress.org/support/users/whooami/) * (@whooami) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/#post-350476) * the fix for that.. rather “how” to fix is on trac. Podz, I think youre the one that linked to the changed files in another thread.. * compare the comment-functions.php’s: * 2.0.* : * function wp_filter_comment($commentdata) {…. * $commentdata[‘comment_agent’] = apply_filters(‘pre_comment_user_agent’, $commentdata[‘ comment_agent’]); * .. and so on.. * kses.php was the other file that changed as well if I remem. correctly. * (nice that I moderate everything) * [Mark (podz)](https://wordpress.org/support/users/podz/) * (@podz) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/#post-350477) * vkaryl – “And wasn’t it of course only a matter of time anyway…” * so 2.0.2 will be insecure by definition ? * [vkaryl](https://wordpress.org/support/users/vkaryl/) * (@vkaryl) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/#post-350479) * I think everything is “insecure by definition” simply because there’s a whole world of idiots out there who spend their lives digging to find exploitable areas. * Be nice to be wrong. * [whooami](https://wordpress.org/support/users/whooami/) * (@whooami) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/#post-350480) * this is actually old …see #5 * oops, I guess a link is needed. * [http://www.frsirt.com/english/advisories/2005/0925](http://www.frsirt.com/english/advisories/2005/0925) * [lhk](https://wordpress.org/support/users/lhk/) * (@lhk) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/#post-350481) * Hi, * do I understand correctly that moderated comments are not touched by that problem? * LHK * [whooami](https://wordpress.org/support/users/whooami/) * (@whooami) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/#post-350482) * thats what I read. shall we try it? I have a ua switcher extension installed 🙂 fwiw, I cant even view my site WITH a ` in my u-a (go figure, cookies) * [kickass](https://wordpress.org/support/users/kickass/) * (@kickass) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/#post-350483) * whooami, am I to understand from what you said above that 1.5.x can be patched at least temporarily? I have not the time nor the patience right now to do a complete upgrade on my own blog and deal with the resulting fallout from the buggy 2.0.1. Bad enough I have to CLEAR EVERY DAMN THING in my client layouts right now just to get that bad b&tch to render them right (whereas 1.5.x doesn’t need any of it.) *grumbles about hackers, bugs, and life in general* * [lhk](https://wordpress.org/support/users/lhk/) * (@lhk) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/#post-350484) * LOL whooami, * you’re way above my head 😉 * I’m just wondering whether I still have some time before I need to update other blogs I also maintain which still are on 1.5.2. Comments usually are – as per definition – set to moderated for blgsites I set up for people, because it’s not really spam they need to guard against, rather competitor nastiness. * After seeing quite a few problems people have here with updating, I want to sandbox all the updates first and had hoped to be able to do that at leisure. * LHK * [Mark (podz)](https://wordpress.org/support/users/podz/) * (@podz) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/#post-350485) * Do NOT upgrade to 2.0.1 !! You’ll have to then upgrade to 2.0.2 * Wait. Hopefully the dev blog will have something. Soon. * [vkaryl](https://wordpress.org/support/users/vkaryl/) * (@vkaryl) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/#post-350486) * Hey, that’s nice (sarcasm should be assumed there)…. what’s happened to my tester’s list emails that should have info about this? I only got one digest yesterday, nothing so far today…. * Last thing I read, 2.0.2 was still on hold. Sheesh. * [lhk](https://wordpress.org/support/users/lhk/) * (@lhk) * [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/#post-350487) * Hi Podz, * and why is it such a horror to upgrade to 2.0.2 from 2.0.1? *scratching my head* * LHK Viewing 15 replies - 1 through 15 (of 41 total) 1 [2](https://wordpress.org/support/topic/new-sql-injection-vulnerability/page/2/?output_format=md) [3](https://wordpress.org/support/topic/new-sql-injection-vulnerability/page/3/?output_format=md) [→](https://wordpress.org/support/topic/new-sql-injection-vulnerability/page/2/?output_format=md) The topic ‘New SQL Injection vulnerability?’ is closed to new replies. ## Tags * [ife_tag](https://wordpress.org/support/topic-tag/ife_tag/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 41 replies * 11 participants * Last reply from: [whooami](https://wordpress.org/support/users/whooami/) * Last activity: [20 years, 3 months ago](https://wordpress.org/support/topic/new-sql-injection-vulnerability/page/3/#post-350599) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics