CVE-2017-14723

critical

Published 2017-09-23 · Modified 2026-05-13

CVSS v3

9.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

7.5

VIR risk

9.8

Description

Before version 4.8.2, WordPress mishandled % characters and additional placeholder values in $wpdb->prepare, and thus did not properly address the possibility of plugins and themes enabling SQL injection attacks.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-14723

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://medium.com/websec/wordpress-sqli-bbb2afcc8e94

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/WordPress/WordPress/commit/fc930d3daed1c3acef010d04acc2c5de93cd18ec

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://github.com/WordPress/WordPress/commit/70b21279098fc973eae803693c0705a548128e48

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://core.trac.wordpress.org/changeset/41496

vendor Authored 2026-05-27

Vendor advisory: cve@mitre.org — https://core.trac.wordpress.org/changeset/41470

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`4.8.2+dfsg-1`
debian	bullseye	fixed	`4.8.2+dfsg-1`
debian	forky	fixed	`4.8.2+dfsg-1`
debian	sid	fixed	`4.8.2+dfsg-1`
debian	trixie	fixed	`4.8.2+dfsg-1`

Application impact

Vendor	Product	Versions	Fixed
wordpress	wordpress	`{"endIncluding":"4.8.1"}`

References

CWEs

CWE-89

Verify integrity in audit chain (admin only). AS-IS.