Again a SQL injection in Wordpress. This time not in a plugin it is in the core. $wpdb->prepare() is not proper sanitising SQL queries so SQL commands can be injected. Affected are versions before 4.8.3 The latest version is now 4.9.1 https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html Update ASAP! Andreas