Why There Was a WordPress 4.8.3
If you didn’t see the drama around WordPress security last Friday, you might have noticed that WordPress 4.8.3 dropped on Tuesday. The short version of the drama is that last Friday Anthony Ferrara, who isn’t well-known inside of WordPress but is well-known and well-regarded on the general topic of PHP security, threatened that he was going to fully disclose a security vulnerability in WordPress “soon”. This caused an understandable amount of consternation, because, well, it wouldn’t be great for a full disclosed vulnerability in WordPress core to be in the wild.
Because of the nature of this sort of situation, it’s hard to know who to trust. Maybe the WordPress core team was handling Anthony’s efforts to contact them in secret poorly. Maybe Anthony was demanding an unrealistic level of understanding and response from the core team on the topic. What we do know is that Anthony has published his version of events and that the whole thing got a good write-up on WP Tavern as well.
If you’re a developer and interested in the topic, Anthony Ferrara’s article on the technical details on the vulnerability is definitely worth your time. I think an average WordPress developer doesn’t really need to know much about the details, and a lot of it is specific esoteric knowledge that you can happily write totally secure code without fully understanding.
But I also think that Anthony makes some good points, perhaps the best of which is the point you should never pass user code into the first half of your statements using
$wpdb. This has never been recommended, but if you’re doing it read the article carefully and you’ll understand better why you should stop.