[UPDATE] WPML has released a new version with a permanent fix, download version 3.8.4 from wpml.org.
BREAKING NEWS … Literally!
If you experience inexplicable 404s on your WordPress site after you updated to version 4.8.3, and you are using WPML (sitepress multilingual cms) version 3.8.0 or higher, you will need a fix. (Duh!)
The cause is WPML not properly using WPDB->prepare(); [UPDATE] is too late with adding/removing the filters on the query. The priority is now fixed from 10 to -1.
A quick fix:
create an mu-plugin “fix-wpml-404.php” with content
<?php
add_filter('query', function($q){
global $wpdb;
if (method_exists($wpdb, 'remove_placeholder_escape')) {
$q = $wpdb->remove_placeholder_escape($q);
}
return $q;
}, 11);
The long-term fix:
I will submit the following patch to OnTheGoSystems:
--- sitepress-multilingual-cms-3.8.3/classes/query-filtering/class-wpml-get-page-by-path.php.orig.php 2017-11-01 10:06:32.000000000 +0100
+++ sitepress-multilingual-cms-3.8.3/classes/query-filtering/class-wpml-get-page-by-path.php 2017-11-01 12:52:20.000000000 +0100
@@ -34,6 +34,10 @@
$where = $this->wpdb->prepare( "ID IN ( SELECT element_id FROM {$this->wpdb->prefix}icl_translations WHERE language_code = %s AND element_type LIKE 'post_%%' ) AND ", $this->language );
+ if (method_exists($this->wpdb, 'remove_placeholder_escape')) {
+ $where = $this->wpdb->remove_placeholder_escape( $where );
+ }
+
$query = str_replace( "WHERE ", "WHERE " . $where, $query );
}
(indents are fkd up by WordPress, so please download the patch here)
For in-depth information on this subject, please read:
https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html