WordPress 4.8.3, what happened behind the scenes

This latest security update to WordPress 4.8.3 comes with a story behind it, behind the scenes.

From what we have been able to inform ourselves, the SQL injection vulnerability already came with version 4.8.2, with an attempt to patch but that solved the problem halfway.

And actually this vulnerability was known to the WordPress core security team, six weeks ago, but they decided to ignore it.

What really happened? Why did it take 6 weeks to fix this vulnerability?


Let’s start from the beginning. Engineer Anthony Ferrara was the one who discovered this vulnerability and made it known to the WordPress core security team, but they simply ignored him.

After several unsuccessful attempts by A. Ferrara for the core security team to take this problem into account, he decided to give an ultimatum to the core boys, via RRSS.

If they did not solve the problem, he would make the vulnerability public and make it known to everyone and how to exploit it.

Given this, the core team and seeing the repercussion of Ferrara’s tweets, had no choice but to contact Ferrara so that he would give them time to solve the incident and, as far as possible, he would collaborate, not only not to make it public, but to help close this vulnerability.

I repeat, it does not directly affect the WordPress core, but it does affect plugins and themes, which would ultimately affect the WordPress core.

Ferrara, gave until October 31 as the deadline, which as we have seen, the WordPress 4.8.3 version came out as an automatic update that same day, as we announced here and in several RRSS.

The process has not been easy, there was no good harmony between Aaron Campbell, leader of the WordPress security team and A. Ferrara, and even a mediator had to be put in place to reach a successful conclusion.

After several collaborations between both parties, a solution was reached that would patch this vulnerability in the form of the new version 4.8.3.

In the announcement of the release of version 4.8.3, on the official WordPress blog, we thank Anthony Ferrara, for discovering the vulnerability and helping to fix it, even though the head of the WordPress security team did not they would like to be pressured to make this vulnerability public if they did not listen to Ferrara. The solution has not been easy to deal with, but for the millions of WordPress users, we appreciate that they have found a point of understanding and now we are all safe, or at least those of us who are up to date.

In any case, this patch does not make WordPress work at all well, I have noticed some “lags” surely due to plugins and themes that must be updated to close this original bug in their codes and make everything go smoothly again.

In fact and as I mentioned in the previous program, these days we will see many updates to plugins and themes, so we must be vigilant, for example, WPML, the popular translation plugin, has been one of the first to update to solve this incidence, but sure, there will be many more.

Today, Thursday, November 2, at 7:00 p.m. Spanish time, live and direct, in this same article, we will tell you all the details, in addition to our usual sections, security, updates and community news.

WordPress News in Spanish, every Tuesday and Thursday, at 7:00 p.m. live, with Antonio Postigo @hoystreaming and Pedro Santos @hostfusion

All the videos from previous programs are available in the WordPress News section in Spanish and also in our Podcast.

An original idea of Host-Fusion.Com your provider hosting para WordPress trustworthy and HoyStreaming.comYour digital window to the world.

20% discount on WordPress hosting at Host-Fusion.com