BREAKING NEWS – WordPress 4.8.3 with WPML (sitepress multilingual cms) 3.8.0 and up cause Page Not Found

[UPDATE] WPML has released a new version with a permanent fix, download version 3.8.4 from wpml.org.

BREAKING NEWS … Literally!

If you experience inexplicable 404s on your WordPress site after you updated to version 4.8.3, and you are using WPML (sitepress multilingual cms) version 3.8.0 or higher, you will need a fix. (Duh!)

The cause is WPML not properly using WPDB->prepare(); [UPDATE] is too late with adding/removing the filters on the query. The priority is now fixed from 10 to -1.

A quick fix:

create an mu-plugin “fix-wpml-404.php” with content

<?php
add_filter('query', function($q){
global $wpdb;
if (method_exists($wpdb, 'remove_placeholder_escape')) {
$q = $wpdb->remove_placeholder_escape($q);
}
return $q;
}, 11);

The long-term fix:

I will submit the following patch to OnTheGoSystems:

--- sitepress-multilingual-cms-3.8.3/classes/query-filtering/class-wpml-get-page-by-path.php.orig.php 2017-11-01 10:06:32.000000000 +0100
+++ sitepress-multilingual-cms-3.8.3/classes/query-filtering/class-wpml-get-page-by-path.php 2017-11-01 12:52:20.000000000 +0100
@@ -34,6 +34,10 @@
 
  $where = $this->wpdb->prepare( "ID IN ( SELECT element_id FROM {$this->wpdb->prefix}icl_translations WHERE language_code = %s AND element_type LIKE 'post_%%' ) AND ", $this->language );
 
+ if (method_exists($this->wpdb, 'remove_placeholder_escape')) {
+ $where = $this->wpdb->remove_placeholder_escape( $where );
+ }
+
  $query = str_replace( "WHERE ", "WHERE " . $where, $query );
  }
 

(indents are fkd up by WordPress, so please download the patch here)

For in-depth information on this subject, please read:

https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html

 

Author: Remon Pel

WebDeveloper though not WebDesigner

Leave a Reply

Your email address will not be published. Required fields are marked *