WordPress 0 day exploit (version 3.0.1 and older)

We posted last week about the release of WordPress 3.0.2 that fixes a few security vulnerabilities.

Today, full details of the vulnerability and exploit code have been released. So if you haven’t upgraded yet, make sure to do so now (specially if your site has multiple authors).

“The do_trackbacks() function in wp-includes/comment.php does not properly escape the input that comes from the user, allowing a remote user with publish_posts and edit_published_posts capabilities to execute an arbitrary SELECT SQL query, which can lead to disclosure of any information stored in the WordPress database.”

Details here: http://www.vul.kr/wordpress-all-version-0day-exploit

Interested in WordPress security monitoring, visit http://sucuri.net.


Comments are closed.

You May Also Like