Hold on, hold on, hold on. You base a vulnerability on a typo? A typo which any modern code editor catches (including vim)?

I’m not downplaying the appalling decision that was made almost a decade ago to base wpdb::prepare on sprintf-like functionality and actually using sprintf and the even more disgusting lack of action that allowed us core to keep it around for such a long time. I’m embarrassed.

But, please, do confirm that this is a typo that has not been seen in the wild. And that the probability of actually getting one in, a typo that passes testing without failing SQL syntax, is incomparable to the probability of simply not using wpdb::prepare to sanitize the SQL :) Am I wrong?

I have an issue going here https://core.trac.wordpress.org/ticket/41925 would be nice if you could chip in, Slavco. You did a great job of deducing a potential vulnerability based on a typo that PHP doesn’t catch (how on earth did you even get to that). Now please come help us solve it :)