Critical severity9.8NVD Advisory· Published Sep 23, 2017· Updated May 13, 2026

CVE-2017-14723

Description

Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.

Affected products

WordPress/WordPress
cpe:2.3:a:wordpress:wordpress:*:*:*:*:*:*:*:*
Range: <=4.8.1
Package: https://wordpress.org/plugins/wordpress

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

core.trac.wordpress.org/changeset/41470nvdPatchVendor Advisory
core.trac.wordpress.org/changeset/41496nvdPatchVendor Advisory
github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48nvdIssue TrackingPatchThird Party Advisory
github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ecnvdIssue TrackingPatchThird Party Advisory
wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/nvdPatchRelease NotesVendor Advisory
medium.com/websec/wordpress-sqli-bbb2afcc8e94nvdExploitMitigationThird Party Advisory
medium.com/websec/wordpress-sqli-poc-f1827c20bf8envdExploitThird Party Advisory
www.securityfocus.com/bid/100912nvdThird Party AdvisoryVDB Entry
www.securitytracker.com/id/1039553nvd
www.debian.org/security/2017/dsa-3997nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.008
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000