[wp-trac] [WordPress Trac] #65055: _pad_term_counts() uses string-concatenated SQL without prepared statement
WordPress Trac
noreply at wordpress.org
Fri Apr 10 14:23:47 UTC 2026
#65055: _pad_term_counts() uses string-concatenated SQL without prepared statement
-------------------------------------+------------------------------
Reporter: rajeshcp | Owner: rajeshcp
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: Awaiting Review
Component: Database | Version: trunk
Severity: major | Resolution:
Keywords: has-patch needs-testing | Focuses:
-------------------------------------+------------------------------
Comment (by abcd95):
The current code isn't exploitable — esc_sql() does handle escaping
correctly here, and the values involved are all server-side (database IDs
and registered post types, not user input). But switching to
$wpdb->prepare() is still the right call as a best-practice improvement.
The patch looks good.
One small addition worth considering: _update_post_term_count() filters
object_types through post_type_exists() before querying but
_pad_term_counts() doesn't. Could be worth adding for consistency.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/65055#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list