WordPress 4.8.3 is now available. This is a security release for all previous versions and you are strongly encouraged you to update your websites immediately.

WordPress versions 4.8.2 and earlier are affected by an issue where $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but hardening was added to prevent plugins and themes from accidentally causing a vulnerability.

This release includes a change in behaviour for the esc_sql() function.

As part of the WordPress 4.8.3 release, there is a change in `esc_sql()` behaviour that may affect plugin developers who expect `esc_sql()` to return a string that’s usable outside of the context of building a query to send to WPDB. While it is strongly recommended not to use `esc_sql()` for other purposes, it’s understandable that it can be tricky to rewrite old code rapidly. To return to the old behaviour, you can use the `$wpdb->remove_placeholder_escape()` method.

echo esc_sql( “100%” );
// “100{9fa52f39262a451892931117b9ab11b5a06d3a15faee833cc75edb18b4411d11}”

echo $wpdb->remove_placeholder_escape( esc_sql( “100%” ) );
// “100%”