WordPress 4.8.3 is now available. This is a security release for all previous versions and you are strongly encouraged you to update your websites immediately.

WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but hardening was added to prevent plugins and themes from accidentally causing a vulnerability.

This release includes a change in behaviour for the esc_sql() function.

As part of the WordPress 4.8.3 release, there is a change in esc_sql() behaviour that may affect plugin developers who expect esc_sql() to return a string that’s usable outside of the context of building a query to send to WPDB. While it is strongly recommended not to use esc_sql() for other purposes, it’s understandable that it can be tricky to rewrite old code rapidly. To return to the old behaviour, you can use the $wpdb->remove_placeholder_escape() method.

echo esc_sql( “100%” );
// “100{9fa52f39262a451892931117b9ab11b5a06d3a15faee833cc75edb18b4411d11}”

echo $wpdb->remove_placeholder_escape( esc_sql( “100%” ) );
// “100%”