Support » Fixing WordPress » PCI compliance – SQL Injection & wp-comments-post.php

  • A PCI compliance scan on a client’s site reports that wp-comments-post.php is vulnerable to SQL Injection. Is this a known issue, and if so, is there a fix?

Viewing 5 replies - 1 through 5 (of 5 total)
  • esmi


    Forum Moderator

    Please see the Security FAQ for information on reporting possible problems.

    The security FAQ directs me to send an e-mail to However, my experience is that messages to that address are not responded to.

    We are informed that a store we host is now non-compliant for PCI because of a bug detected in the current WP version.

    Wuat is the status of a fix for this please?

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    There is no known issue with wp-comments-post, and it is not vulnerable to an SQL injection as far as we are aware.

    If you have found a vulnerability, then you should send email to that address. It will be dealt with promptly. However, that email address goes to a team of people who are knowledgeable in security matters and who can deal with the issue you are reporting promptly. They’ll ignore queries, they only deal with actual threats. So unless you know of a valid threat, then you shouldn’t email them.

    There cannot be a status for a fix for an issue that we know nothing about. We will need information on exactly what issue you are referring to, specifically, in order to respond properly.

    I posted to this older thread to make two points:

    1 – I never received any response to what I considered a very important message I sent to that address. I e-mailed them because refused to declare one of our sites compliant as long as comments were active. Our solution was to turn comments off, and with that done, the site passed compliance. I think that might be important enough to warrant some sort of response – perhaps you or the security team disagree.

    2 – I have a site that currently will not pass PCI complicance because told me tonight that (according to them) a vulnerability has been detected in the current version, and that the site will not be cleared until that vulnerability is resolved. Based on not receiving a reply from the security e-mail, as stated above, I thought I would try again here.

    Can you tell me if there are ANY issue is being worked on that is related to PCI compliance? I need something more concrete to tell my client other than the fact that claims that WP is not PCI compliant, thus making their site non-compliant.

    I appreciate your feedback.

    Moderator Ryan Boren


    WordPress Dev

    There are no known PCI compliance issues. Every single one sent our way is either reporting ancient vulnerabilities that don’t apply to the version of WP being evaluated or is not a valid issue.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘PCI compliance – SQL Injection & wp-comments-post.php’ is closed to new replies.