CVE-2025-12118: Wpdb Prepare Alter Table Structural Injection
Improper use of `%s` placeholder in `$wpdb->prepare()` for structural SQL clauses like `ALTER TABLE ...`. The `%s` placeholder wraps its value in single quotes, causing an SQL syntax error when formatting schema changes. This can cause database upgrades to fail silently, resulting in columns with dangerously restrictive sizes that are vulnerable to truncatio
PHPβgreprules fetch cve-2025-12118-wpdb-prepare-alter-table-structural-injection --engine opengrepDescription
Improper use of `%s` placeholder in `$wpdb->prepare()` for structural SQL clauses like `ALTER TABLE ...`. The `%s` placeholder wraps its value in single quotes, causing an SQL syntax error when formatting schema changes. This can cause database upgrades to fail silently, resulting in columns with dangerously restrictive sizes that are vulnerable to truncatio
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0