WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#4973 closed defect (bug) (invalid)

Wordpress exploit and issue

Reported by: gobinathm Owned by:
Milestone: Priority: high
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

I am not sure whether this have been taken care. Please look in the following informations. Its fro Web Security Mailing List

http://milw0rm.com/exploits/4397


From: Daniel Cuthbert <daniel.cuthbert@…>
Date: Sep 13, 2007 3:05 PM
Subject: [WEB SECURITY] When the community takes action
To: websecurity@…

Sigh, another Wordpress exploit and issue, no shock there!

http://milw0rm.com/exploits/4397

Wordpress has a massive user-base, and it seems that the developers
have little, or no, concept of any SDLC or basic secure development
as every new release is met by a serious remote vulnerability that
allows attackers to compromise the host blog in some form or manner.

In an ideal world, we'd see the lead developers saying they need help
and asking the community for that help, but what happens when they
don't?

I'm not saying become vigilantes or something, but something should
be done to help projects like Wordpress act in a more socially
responsible way.

Thoughts?

Change History (4)

comment:1 zamoose7 years ago

Looks like all those exploits target the XML-RPC side of the house. All anti-blog/anti-WP preening aside, it does seem to have a good bit to exploit.

I'm not sure whether 2.2.3 addresses the flaw that the script claims 2.2.2 is vulnerable to...

comment:2 Otto427 years ago

This is not a "new" exploit. It's an automated program designed to exploit existing/known/fixed exploits.

The exploit it attempts for WordPress 2.2.2 installs is fixed in 2.2.3.

comment:3 Otto427 years ago

  • Resolution set to invalid
  • Status changed from new to closed

More information on the fixed 2.2.2 vulnerability that this exploit code attempts to use:
http://secunia.com/advisories/26771/

Note: See TracTickets for help on using tickets.