I reported the same vulnerability exactly a year ago. It was discovered using my PHP Analyzer (based on PHP Emulator), and was reported to the WP team. They merely dismissed it.
Joomla has the exact same problem in its SQL preparation, and that report is already available on Github. That one was reported 18 months ago, and dismissed as well.