Eval()'ed string not escaped properly
|Reported by:||sirzooro||Owned by:||ryan|
There is a problem with permalinks, which is the root cause of last series of attacks on WordPresses. URL rewrite engine does not escape dollar signs in rules generated from permalink format, so it is possible to inject PHP code using specially crafted permalink format. There are two places where eval() is called: classes.php:219 and rewrite.php:302. These dollar signs should be escaped during rule generation, in generate_rewrite_rules() - attached patch does this.
You can also consider adding code to remove dollars from permalink format if someone will enter it on options screen (when options are saved), or even better to validate if all %something% tags consists of letters, numbers and underscores only (and maybe dashes too).