Kerentanan SQL injection pada fungsi do_trackbacks di wp-includes/comment.php di versi WordPress dibawah 3.0.2 yang memungkinkan pengguna terautentikasi untuk mengeksekusi perintah SQL arbitrary lewat kolom Send Trackbacks.

Tanggal Publikasi : 2010-12-07

Tanggal Update Terakhir : 2011-01-19

Kode :

function do_trackbacks($post_id) {
global $wpdb;

$post = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->posts WHERE ID = %d", $post_id) );
$to_ping = get_to_ping($post_id);
$pinged  = get_pung($post_id);
if ( empty($to_ping) ) {
$wpdb->update($wpdb->posts, array('to_ping' => ''), array('ID' => $post_id) );
return;
}

if ( empty($post->post_excerpt) )
$excerpt = apply_filters('the_content', $post->post_content);
else
$excerpt = apply_filters('the_excerpt', $post->post_excerpt);
$excerpt = str_replace(']]>', ']]>', $excerpt);
$excerpt = wp_html_excerpt($excerpt, 252) . '...';

$post_title = apply_filters('the_title', $post->post_title);
$post_title = strip_tags($post_title);

if ( $to_ping ) {
foreach ( (array) $to_ping as $tb_ping ) {
$tb_ping = trim($tb_ping);
if ( !in_array($tb_ping, $pinged) ) {
trackback($tb_ping, $post_title, $excerpt, $post_id);
$pinged[] = $tb_ping;
} else {
$wpdb->query( $wpdb->prepare("UPDATE $wpdb->posts SET to_ping = TRIM(REPLACE(to_ping, '$tb_ping', '')) WHERE ID = %d", $post_id) );
}
}
}
}