On October 31, 2017, WordPress.org released version 4.8.3 (which is available for direct download here). This is a security release for all previous versions and we strongly encourage you to update all WordPress based websites as soon as possible. If you have automatic background updates enabled from your WordPress dashboard, this should have happened automatically, or will be happening very shortly. You may also update to the new version manually from your Dashboard → Updates, if you do not have automatic updates enabled (which we of course recommend).
All previous WordPress versions are vulnerable due to an issue where
$wpdb->prepare() , which basically prepares a SQL query (Tech Glossary Term) for safe execution and uses sprintf()-like syntax, can create extremely unsafe queries leading to potential SQL injections (Tech Glossary Term), which are potentially very bad news for your website and/or your server. The WordPress core, itself, is not directly vulnerable to this issue, but hardening to prevent plugins and themes from accidentally causing a vulnerability is reported to have been added as a precaution by the WordPress Development Team.
Awesome distinction here, is that this specific security issue, was discovered and then properly reported by an alert (and Awesome!) community member; so if you ever discover what you believe to be a significant security vulnerability in the WordPress core, whether your experience level is beginner or advanced, please be just as Awesome yourself and disclose it responsibly!
While a change in behavior for the
esc_sql() function has been implemented in this version, most developers shouldn’t be affected by this; however if you are concerned about or would like further details, please see the new version’s developer note.