IT is telling me this software is using a vulnerable version of Mysql ( 8.0.35+4) is there an upadate coming in the pipeline?
Local Version: 9.2.8
Operating System (OS) and OS version: Windows 11 24H2
developer need to update latest version LTS
current LTS version 8.4.6 (09 Jul 2025)
Hi @pacevedo
As you know, only the LocalWP development team can answer your question …
In the mean time … you can have a look through the official MySQL release notes for those future versions (8.0.36 to 8.0.44) and get an idea about exactly what your organisations IT person is trying to communicate, on a deeper level.
Each version link has a great summary of what kind of features and bugs are added & fixed.
It is not a test, you do not have to memorise anything; it is just a chance to see what kind of topics the features & fixes address.
Then you can have a better conversation with the IT person (if you want to) and find out if it is just general advice they are providing or if you are at risk of being told to uninstall it.
If the IT person is leaning into getting you to uninstall LocalWP then it might be an opportunity to discuss the networking interface that the MySQL database is configured to use as part of the LocalWP application … in a good way.
Specifically you will notice that most of your sites are configured to respond to the localhost host which is generally a loopback IP address and separate network interface. This basically means that the MySQL database within LocalWP is NOT listening or accepting database connections from any other computer on the network you are connected to.
It is generally the “database accepting connections from the network” that creates the biggest security exposure point … which is not an option with the way LocalWP is setup (I’m 99.321% sure).
So, while your organisations IT person is technically correct from the MySQL database application / service perspective, they are also not-fully-correct from a network-interface-binding & external connections perspective because the LocalWP datbases are only talking to your specific computer where LocalWP is installed.
Conclusion: Knowing that each LocalWP website you run on your computer has its database configured to only listen to the loopback local network interface, and not external network interfaces like your organisation intranet or the internet … then there a suitable runtime wrapper around the MySQL database that stops other computers from exploiting your current version of MySQL in LocalWP. So, yes, you might be running a vunerable version of MySQL (like 8.0.35) but it is not exposing any of them to the wider network for possible exploitation … only your local computer is the exposure point (to itself) if you are running other applications that are doing local exploits only (which is probably unlikly in a professional organisation with IT personnel).
Hey @Nick-B, the above information is based upon each sites /conf/mysql/my.cnf.hbs file using bind-address = {{bindAddress}} configuration. The industry default for {{bindAddress}} is 127.0.0.1 which is the loopback network interface. Knowing this … Question: Is the above information & conclusion in alignment with the way LocalWP works under-the-hood?
We have a ticket in our backlog to upgrade, but it’s not on our immediate list of things to do.
This is mostly due to the various reasons that @johnlang86 articulated (ie, these DB’s are only bound on the loopback interface)
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
